CVE-2025-54072: 
Linux Alpine vulnerability analysis and mitigation

CVE-2025-54072 affects yt-dlp, a feature-rich command-line audio/video downloader, in versions 2025.06.25 and below. The vulnerability was discovered and disclosed on July 22, 2025, and involves insufficient sanitization of filepath when using the --exec option on Windows with the default placeholder, potentially allowing for remote code execution (GitHub Advisory, NVD).

The vulnerability occurs due to incorrect sanitization rules being applied to the expanded filepath in the --exec postprocessor. The code fails to pass shell=True to shell_quote, resulting in improper escaping rules being applied. While yt-dlp's sanitization replaces any " or : characters in the filepath with full-width counterparts, the vulnerability can be exploited when an environment variable containing an odd number of " characters is present. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H (GitHub Advisory).

The vulnerability could allow attackers to achieve remote code execution on Windows systems when specific conditions are met. However, the impact is considered minimal as exploitation requires a variable containing an odd number of " characters to be set in the user's environment, which is uncommon. No maliciously crafted metadata targeting this vulnerability has been found in the wild (GitHub Advisory).

The vulnerability has been patched in version 2025.07.21 by applying new escaping rules to the placeholder expansion. Windows users who cannot upgrade immediately should avoid using --exec altogether. Alternative workarounds include using --write-info-json or --dump-json options with an external script or command line consuming the JSON output (GitHub Advisory, GitHub Release).