CVE-2025-43858 Overview
CVE-2025-43858 is a command injection vulnerability affecting YoutubeDLSharp, a popular .NET wrapper library for the command-line video downloaders youtube-dl and yt-dlp. The vulnerability exists in versions starting from 1.0.0-beta4 through versions prior to 1.1.2, where an unsafe conversion of arguments allows the injection of malicious commands when starting yt-dlp from a command prompt running on Windows OS.
The vulnerable behavior is tied to the UseWindowsEncodingWorkaround configuration value, which is set to true by default. When users leverage the built-in methods from the YoutubeDL.cs file, this default setting cannot be disabled through those methods, leaving applications exposed to potential exploitation.
Critical Impact
Attackers can inject arbitrary commands through maliciously crafted input, potentially leading to complete system compromise on Windows systems running vulnerable versions of YoutubeDLSharp.
Affected Products
- YoutubeDLSharp versions 1.0.0-beta4 through 1.1.1
- Applications using built-in methods from YoutubeDL.cs with default configurations
- Windows systems running yt-dlp through affected YoutubeDLSharp wrappers
Discovery Timeline
- April 24, 2025 - CVE-2025-43858 published to NVD
- April 29, 2025 - Last updated in NVD database
Technical Details for CVE-2025-43858
Vulnerability Analysis
This command injection vulnerability (CWE-77) stems from unsafe argument handling when YoutubeDLSharp invokes the underlying yt-dlp executable on Windows systems. The root issue lies in the UseWindowsEncodingWorkaround feature, which was designed to support Unicode characters in output filenames by routing commands through cmd.exe. However, this implementation introduced a critical security flaw by allowing unsanitized user input to be interpreted as shell commands.
When the workaround is enabled (the default behavior), arguments passed to yt-dlp are processed in a way that permits command separator characters and shell metacharacters to break out of the intended command context. An attacker who can control input parameters such as URLs or output filenames can inject additional commands that will be executed with the privileges of the running process.
Root Cause
The vulnerability originates from the YoutubeDLProcess.cs file, where the UseWindowsEncodingWorkaround property was defined with a default value of true. This setting caused all yt-dlp invocations to be wrapped in a cmd.exe call to handle non-ASCII characters, but without proper escaping or sanitization of the arguments being passed. The Exec option in YoutubeDL.cs used echo outfile: {} to capture output filenames, which could be exploited through command injection when combined with the Windows encoding workaround.
Attack Vector
The attack vector is local, requiring an attacker to influence input that gets passed to YoutubeDLSharp's download or processing methods. This could occur in scenarios where:
- A web application accepts user-supplied URLs for video downloading
- An application processes playlist files or URLs from untrusted sources
- Configuration parameters can be manipulated by malicious actors
The following patch shows the removal of the vulnerable UseWindowsEncodingWorkaround property:
/// </summary>
public string ExecutablePath { get; set; }
- /// <summary>
- /// Windows only. If set to true, start process via cmd.exe to support Unicode chars.
- /// </summary>
- public bool UseWindowsEncodingWorkaround { get; set; } = true;
-
/// <summary>
/// Occurs each time yt-dlp writes to the standard output.
/// </summary>
Source: GitHub Commit
The fix also replaced the vulnerable Exec option with a safer Print approach:
NoOverwrites = !this.OverwriteFiles,
NoPart = true,
FfmpegLocation = Utils.GetFullPath(this.FFmpegPath),
- Exec = "echo outfile: {}"
+ Print = "after_move:outfile: %(filepath)s"
};
}
Source: GitHub Commit
Detection Methods for CVE-2025-43858
Indicators of Compromise
- Unexpected cmd.exe child processes spawned by applications using YoutubeDLSharp
- Anomalous command-line arguments containing shell metacharacters such as &, |, ;, or $()
- Process execution chains showing yt-dlp or youtube-dl followed by suspicious secondary processes
- Log entries showing URLs or filenames with embedded command sequences
Detection Strategies
- Monitor process creation events for cmd.exe instances spawned by .NET applications that use YoutubeDLSharp
- Implement application-level logging to capture all URLs and parameters passed to video download functions
- Use endpoint detection rules to identify command injection patterns in process arguments
- Review application dependencies and check for YoutubeDLSharp versions between 1.0.0-beta4 and 1.1.1
Monitoring Recommendations
- Configure SentinelOne to alert on suspicious process trees involving video download utilities followed by shell execution
- Enable command-line argument logging for all yt-dlp and youtube-dl invocations
- Deploy static analysis rules to identify applications using vulnerable YoutubeDLSharp versions
- Monitor network traffic for unusual patterns following video download requests
How to Mitigate CVE-2025-43858
Immediate Actions Required
- Upgrade YoutubeDLSharp to version 1.1.2 or later immediately
- Audit all applications that depend on YoutubeDLSharp for affected versions
- Implement strict input validation on all URLs and parameters passed to video download functions
- Consider temporarily disabling video download functionality until the patch is applied
Patch Information
The vulnerability has been addressed in YoutubeDLSharp version 1.1.2. The fix removes the problematic UseWindowsEncodingWorkaround functionality entirely and replaces the vulnerable Exec option with a safer Print approach for capturing output filenames. Detailed information about the patches can be found in the GitHub Security Advisory.
Workarounds
- If immediate upgrade is not possible, avoid processing untrusted URLs or user-supplied input through YoutubeDLSharp
- Implement a strict allowlist for URL domains that can be processed
- Deploy application-level input sanitization to filter command injection characters before they reach YoutubeDLSharp
- Consider running video download operations in a sandboxed environment with limited privileges
# Update YoutubeDLSharp via NuGet Package Manager
dotnet add package YoutubeDLSharp --version 1.1.2
# Verify installed version
dotnet list package | grep YoutubeDLSharp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
