CVE-2025-62185: 
NixOS vulnerability analysis and mitigation

A security vulnerability (CVE-2025-62185) was discovered in Ankitects Anki versions before 25.02.5. The vulnerability allows a crafted shared deck to place a YouTube downloader executable (youtube-dl.exe, yt-dlp.exe, or yt-dlp_x86.exe) in the media folder, which is then executed when a YouTube link in the deck is accessed (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue stems from mpv looking for YouTube downloader executables on the system path, which includes the current working directory (CWD) on Windows. This allows malicious shared decks to exploit the behavior by placing executable files that mpv would automatically invoke when encountering YouTube links (Anki Commit).

The vulnerability could allow arbitrary code execution through a malicious shared deck when a YouTube link is accessed. This poses a significant security risk as it could lead to unauthorized code execution with the privileges of the user running the Anki application (NVD).

The vulnerability has been patched in Anki version 25.02.5. The fix involves disabling YouTube DL functionality in mpv by adding the '--no-ytdl' flag to prevent automatic execution of YouTube downloader executables. Users are advised to upgrade to version 25.02.5 or later to address this security issue (Anki Commit).