CVE-2025-43858: 
C# vulnerability analysis and mitigation

CVE-2025-43858 affects YoutubeDLSharp, a wrapper for the command-line video downloaders youtube-dl and yt-dlp. The vulnerability exists in versions from 1.0.0-beta4 to versions prior to 1.1.2, where an unsafe conversion of arguments allows injection of malicious commands when starting yt-dlp from a commands prompt on Windows OS. The issue was discovered and disclosed on April 24, 2025 (GitHub Advisory).

The vulnerability stems from the UseWindowsEncodingWorkaround feature, which is enabled by default. When this feature is active, the application uses a command prompt to run yt-dlp instead of calling it directly, and fails to properly sanitize user-provided arguments. The vulnerability has been assigned a CVSS v3.1 base score of 9.2 (CRITICAL) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L. The issue is classified under CWE-77 (Command Injection) and CWE-78 (OS Command Injection) (NVD).

The vulnerability allows attackers to execute arbitrary commands on the Windows system where the application is running. The impact is particularly severe in contexts where the library is used in network-facing applications, such as ASP.NET applications accepting inputs from the internet. The vulnerability affects confidentiality and integrity at a high level, with low impact on availability (GitHub Advisory).

The vulnerability has been patched in version 1.1.2, which completely removes the UseWindowsEncodingWorkaround property. For users unable to upgrade immediately, temporary workarounds include disabling UseWindowsEncodingWorkaround when using YoutubeDLProcess directly (though this loses Unicode character support), or implementing URL sanitization using Uri.TryCreate for URL inputs (GitHub Advisory).