{"id":"CVE-2025-66203","summary":"StreamVault is Vulnerable to Authenticated Remote Code Execution (RCE) via ytdlpargs Configuration Injection","details":"StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault application (SpiritApplication). The application allows administrators to configure yt-dlp arguments via the /admin/api/saveConfig endpoint without sufficient validation. These arguments are stored globally and subsequently used in YtDlpUtil.java when constructing the command line to execute yt-dlp. This issue has been patched in version 251126.","aliases":["GHSA-c747-q388-3v6m"],"modified":"2026-03-20T12:46:10.201933Z","published":"2025-12-26T23:37:03.817Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66203.json","cwe_ids":["CWE-78"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/lemon8866/StreamVault/releases/tag/251226"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66203.json"},{"type":"ADVISORY","url":"https://github.com/lemon8866/StreamVault/security/advisories/GHSA-c747-q388-3v6m"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66203"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lemon8866/streamvault","events":[{"introduced":"0"},{"fixed":"2f82664676ca17f2bd367a256098104ff9d0442c"}]}],"versions":["251118"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-66203.json","vanir_signatures":[{"digest":{"length":2588,"function_hash":"155800979433165109473385346489660933962"},"source":"https://github.com/lemon8866/streamvault/commit/2f82664676ca17f2bd367a256098104ff9d0442c","id":"CVE-2025-66203-0e520bc6","signature_version":"v1","target":{"function":"init","file":"backstage/src/main/java/com/flower/spirit/config/AppConfig.java"},"deprecated":false,"signature_type":"Function"},{"digest":{"line_hashes":["185327503860597283345862884983798572921","69736235815868154367558715660804054756","67152156368571709166439260246119718492","150182498785936268919908470447647984449","286934010942463720185220449310401916351","46095071628792840877941236467283167153"],"threshold":0.9},"source":"https://github.com/lemon8866/streamvault/commit/2f82664676ca17f2bd367a256098104ff9d0442c","id":"CVE-2025-66203-12862248","signature_version":"v1","target":{"file":"backstage/src/main/java/com/flower/spirit/config/AppConfig.java"},"deprecated":false,"signature_type":"Line"},{"digest":{"line_hashes":["222041133699624479509767237943054316894","43081717091622590838283302379830101949","194192703351410129921474661410309177759","177817934290815304655378566724208079829"],"threshold":0.9},"source":"https://github.com/lemon8866/streamvault/commit/2f82664676ca17f2bd367a256098104ff9d0442c","id":"CVE-2025-66203-1e99de53","signature_version":"v1","target":{"file":"backstage/src/main/java/com/flower/spirit/config/Global.java"},"deprecated":false,"signature_type":"Line"},{"digest":{"line_hashes":["80680450924251272962604400129368731286","185640982181675645487734521415063256574","252577821775512857205215449701029864699","3212446118532653226045412635609250358","95127535339335311367175631302404422073","108497259174003243679424163015138449152"],"threshold":0.9},"source":"https://github.com/lemon8866/streamvault/commit/2f82664676ca17f2bd367a256098104ff9d0442c","id":"CVE-2025-66203-34fa8534","signature_version":"v1","target":{"file":"backstage/src/main/java/com/flower/spirit/service/ConfigService.java"},"deprecated":false,"signature_type":"Line"},{"digest":{"line_hashes":["244473132521466927450471370521850087393","228493186551344759673351897882668673388","308541130589171726587604735438030391334","275629787493352098472910443517769868579","155507837999677800158003210274163753278","69363755745497671712470699708994549957","130207662442493914827913552097974214514"],"threshold":0.9},"source":"https://github.com/lemon8866/streamvault/commit/2f82664676ca17f2bd367a256098104ff9d0442c","id":"CVE-2025-66203-7b775642","signature_version":"v1","target":{"file":"backstage/src/main/java/com/flower/spirit/utils/YtDlpUtil.java"},"deprecated":false,"signature_type":"Line"},{"digest":{"length":1943,"function_hash":"122270353218312747557179432098976088418"},"source":"https://github.com/lemon8866/streamvault/commit/2f82664676ca17f2bd367a256098104ff9d0442c","id":"CVE-2025-66203-a03d9269","signature_version":"v1","target":{"function":"saveConfig","file":"backstage/src/main/java/com/flower/spirit/service/ConfigService.java"},"deprecated":false,"signature_type":"Function"},{"digest":{"length":3185,"function_hash":"59556860393872395856424751739428818195"},"source":"https://github.com/lemon8866/streamvault/commit/2f82664676ca17f2bd367a256098104ff9d0442c","id":"CVE-2025-66203-a5e959bb","signature_version":"v1","target":{"function":"exec","file":"backstage/src/main/java/com/flower/spirit/utils/YtDlpUtil.java"},"deprecated":false,"signature_type":"Function"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}]}