yt-dlp Windows Placeholder Expansion Vulnerability in --exec Option Allows Remote Code Execution

A remote code execution vulnerability exists in yt-dlp, a command-line audio/video downloader, when the --exec option is used on Windows with the default placeholder. In versions through 2025.06.25, the expanded filepath from the placeholder received inadequate sanitization, creating an opportunity for code execution. This issue bypasses the mitigation implemented for CVE-2024-22423, as the default placeholder was not addressed by the new escaping rules. Users unable to upgrade should refrain from using --exec and can instead utilize the --write-info-json or --dump-json options, with an external script processing the JSON output.

Impact

Exploitation of this vulnerability allows for remote code execution on the Windows system where yt-dlp is run.

Reproduction

To reproduce this vulnerability, set an environment variable with an odd number of quotation marks. Then, use yt-dlp with the --exec option, including the default placeholder. The vulnerability can be demonstrated by replacing the placeholder with a command that, due to the improper escaping, is executed on the system.

Remediation

Users should upgrade to yt-dlp version 2025.07.21 or later. For those unable to upgrade, it is advised to avoid using the --exec option on Windows.