CVE-2025-43858

Name of the Vulnerable Software and Affected Versions YoutubeDLSharp versions 1.0.0-beta4 through 1.1.2

Description The issue is related to an unsafe conversion of arguments, allowing the injection of malicious commands when starting yt-dlp from a command prompt on Windows OS with the UseWindowsEncodingWorkaround value defined as true. This is the default behavior, especially when using built-in methods from the YoutubeDL.cs file, where the value cannot be disabled. The problem has been patched in version 1.1.2.

Recommendations For versions 1.0.0-beta4 through 1.1.2, update to version 1.1.2 to resolve the issue. As a temporary workaround, consider disabling the UseWindowsEncodingWorkaround value, if possible, until a patch is applied. Restrict access to the yt-dlp command prompt on Windows OS to minimize the risk of exploitation.