Vulnerability Description
StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault application (SpiritApplication). The application allows administrators to configure yt-dlp arguments via the /admin/api/saveConfig endpoint without sufficient validation. These arguments are stored globally and subsequently used in YtDlpUtil.java when constructing the command line to execute yt-dlp. This issue has been patched in version 251126.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lemon8866 | Streamvault | < 251126 |
Related Weaknesses (CWE)
References
- https://github.com/lemon8866/StreamVault/releases/tag/251226ProductRelease Notes
- https://github.com/lemon8866/StreamVault/security/advisories/GHSA-c747-q388-3v6mExploitVendor Advisory
FAQ
What is CVE-2025-66203?
CVE-2025-66203 is a vulnerability with a CVSS score of 9.9 (CRITICAL). StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault application (SpiritApplication). The application a...
How severe is CVE-2025-66203?
CVE-2025-66203 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-66203?
Check the references section above for vendor advisories and patch information. Affected products include: Lemon8866 Streamvault.