Cyber Posture

CVE-2025-66203

CriticalPublic PoC

Published: 27 December 2025

Published
27 December 2025
Modified
09 March 2026
KEV Added
Patch
CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0070 72.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault application (SpiritApplication). The application allows administrators to configure yt-dlp arguments via the /admin/api/saveConfig endpoint without sufficient validation. These arguments…

more

are stored globally and subsequently used in YtDlpUtil.java when constructing the command line to execute yt-dlp. This issue has been patched in version 251126.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mandates validation of administrator inputs to the /admin/api/saveConfig endpoint to block malicious yt-dlp arguments that enable OS command injection and RCE.

SI-2 Flaw Remediation good match
preventrecover

Requires timely identification, reporting, and correction of the RCE flaw, such as applying the patch in StreamVault version 251126.

SI-9 Information Input Restrictions partial match
prevent

Restricts classes of inputs to the configuration endpoint, such as prohibiting shell metacharacters or excessive lengths, to mitigate command injection risks.

Security SummaryAI

CVE-2025-66203 is a remote code execution (RCE) vulnerability affecting StreamVault, a video download integration solution, in versions prior to 251126. The issue resides in the stream-vault application (SpiritApplication), where administrators can configure yt-dlp arguments through the /admin/api/saveConfig endpoint without sufficient validation. These arguments are stored globally and later used in YtDlpUtil.java to construct command lines for executing yt-dlp, enabling OS command injection (CWE-78). The vulnerability carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity.

An authenticated attacker with low privileges, such as an administrator, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By submitting malicious yt-dlp arguments via the configuration endpoint, the attacker can inject arbitrary commands that execute during subsequent yt-dlp invocations. This achieves full system compromise, granting high-impact confidentiality, integrity, and availability violations across the affected scope due to the changed scope (S:C).

The vulnerability has been patched in StreamVault version 251126. Official mitigation details are available in the GitHub security advisory at https://github.com/lemon8866/StreamVault/security/advisories/GHSA-c747-q388-3v6m and the release notes at https://github.com/lemon8866/StreamVault/releases/tag/251226, which security practitioners should review for upgrade instructions and any additional hardening recommendations.

Details

CWE(s)
CWE-78

Affected Products

lemon8866
streamvault
≤ 251126

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

Vulnerability enables OS command injection (CWE-78) for arbitrary remote code execution as an authenticated low-privilege admin, directly mapping to command interpreter abuse (T1059), exploitation for privilege escalation (T1068), and exploitation of remote services (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References