CVE-2025-66203: StreamVault is Vulnerable to Authenticated Remote Code Execution (RCE) via ytdlpargs Configuration Injection

← Back to Vulnerability Index

CVE-2025-66203 - StreamVault is Vulnerable to Authenticated Remote Code Execution (RCE) via ytdlpargs Configuration Injection

Dec. 27, 2025, 12:15 a.m. | 34 minutes ago CRITICAL CVSS Score: 9.9/10.0

⚠️ Security Alert: A critical vulnerability has been identified that requires immediate attention.

Vulnerability Overview

CVE Identifier:

CVE-2025-66203

Severity Rating:

9.9 / 10.0 - CRITICAL

Detection Date:

27 Dec 2025

Vulnerability Type:

Vulnerability

Description

StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault application (SpiritApplication). The application allows administrators to configure yt-dlp arguments via the /admin/api/saveConfig endpoint without sufficient validation. These arguments are stored globally and subsequently used in YtDlpUtil.java when constructing the command line to execute yt-dlp. This issue has been patched in version 251126.

Potential Impact

This vulnerability poses a critical risk to affected systems. Organizations using the affected software should prioritize patching and implement appropriate security measures immediately.

• Unauthorized Access: Potential unauthorized access to sensitive systems or data
• Remote Code Execution: Attackers may execute arbitrary code remotely
• Service Disruption: Risk of service disruption or denial of service attacks
• Data Breach: Possibility of data breach or information disclosure

Recommended Actions

1. Immediate Assessment: Identify if your systems are running affected versions of the software
2. Apply Patches: Install security updates and patches as soon as they become available
3. Implement Workarounds: Apply temporary mitigations if patches are not yet available
4. Monitor Systems: Increase monitoring for signs of exploitation attempts
5. Update Security Policies: Review and update security policies based on this vulnerability
6. Inform Stakeholders: Communicate the risk to relevant stakeholders and teams

Stay Informed: Subscribe to our security alerts to receive timely updates on critical vulnerabilities and security advisories.

Disclaimer: This information is provided for security awareness purposes. Always verify with official sources and consult with security professionals before taking action. The severity scores and information are based on publicly available data at the time of publication.