CVE-2025-62363

Published: Oct 13, 2025

Modified: Oct 14, 2025

PUBLISHED

CVSS v3.1

7.8

HIGH

Description

yt-grabber-tui is a terminal user interface application for downloading videos. In versions before 1.0-rc, the application allows users to configure the path to the yt-dlp executable via the path_to_yt_dlp configuration setting. An attacker with write access to the configuration file or the filesystem location of the configured executable can replace the executable with malicious code or create a symlink to an arbitrary executable. When the application invokes yt-dlp, the malicious code is executed with the privileges of the user running yt-grabber-tui. This vulnerability has been patched in version 1.0-rc.

Vendor	Product	Versions
zheny-creator	YtGrabber-TUI	affected `< 1.0-rc`

Weaknesses (CWE)

CWE-59

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/zheny-creator/YtGrabber-TUI/security/advisories/GHSA-94c4-wh57-8p9c

x_refsource_CONFIRM

https://github.com/zheny-creator/YtGrabber-TUI/commit/7adfdb68e8bf24559d1e9d8d4668de3d82c45591

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-62363

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References