Description
StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault application (SpiritApplication). The application allows administrators to configure yt-dlp arguments via the /admin/api/saveConfig endpoint without sufficient validation. These arguments are stored globally and subsequently used in YtDlpUtil.java when constructing the command line to execute yt-dlp. This issue has been patched in version 251126.
EPSS Score:
0%
Comprehensive Technical Analysis of EUVD-2025-205468
1. Vulnerability Assessment and Severity Evaluation
The vulnerability described in EUVD-2025-205468 pertains to a Remote Code Execution (RCE) issue in the StreamVault application, specifically within the SpiritApplication component. The vulnerability arises from insufficient validation of yt-dlp arguments configured via the /admin/api/saveConfig endpoint. These arguments are stored globally and used in YtDlpUtil.java to construct command lines for executing yt-dlp, a popular command-line program to download videos from YouTube and other sites.
Severity Evaluation:
- Base Score: 10.0 (Critical)
- Base Score Version: CVSS 3.1
- Base Score Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
The CVSS score of 10.0 indicates a critical vulnerability due to the following factors:
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Changed (C)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): High (H)
This high severity is due to the potential for complete system compromise, including unauthorized access to sensitive information, modification of data, and disruption of services.
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors:
- Remote Code Execution (RCE): An attacker can exploit the vulnerability by sending malicious yt-dlp arguments through the
/admin/api/saveConfigendpoint. These arguments are not properly validated, allowing the attacker to inject arbitrary commands that will be executed by the system.
Exploitation Methods:
- Command Injection: By crafting specific yt-dlp arguments that include malicious commands, an attacker can execute arbitrary code on the target system. This can lead to various malicious activities such as data exfiltration, system compromise, and further lateral movement within the network.
3. Affected Systems and Software Versions
Affected Systems:
- StreamVault application versions prior to 251126.
Software Versions:
- All versions of StreamVault before 251126 are vulnerable. The issue has been patched in version 251126.
4. Recommended Mitigation Strategies
Immediate Actions:
- Upgrade: Upgrade to StreamVault version 251126 or later, which includes the patch for this vulnerability.
- Access Control: Restrict access to the
/admin/api/saveConfigendpoint to trusted administrators only. - Input Validation: Implement additional input validation and sanitization for yt-dlp arguments to prevent command injection.
Long-Term Strategies:
- Regular Audits: Conduct regular security audits and code reviews to identify and mitigate similar vulnerabilities.
- Monitoring: Implement monitoring and logging for suspicious activities related to the
/admin/api/saveConfigendpoint. - Security Training: Provide security training for developers and administrators to raise awareness about secure coding practices and potential attack vectors.
5. Impact on European Cybersecurity Landscape
The vulnerability in StreamVault poses a significant risk to organizations using this software within the European Union. Given the critical nature of the vulnerability, successful exploitation could lead to widespread data breaches, service disruptions, and potential violations of GDPR regulations. This underscores the importance of timely patching and adherence to best security practices to protect sensitive data and maintain service integrity.
6. Technical Details for Security Professionals
Vulnerability Details:
- Component: SpiritApplication
- Endpoint:
/admin/api/saveConfig - Affected File:
YtDlpUtil.java - Exploitation: Malicious yt-dlp arguments are stored globally and used to construct command lines, leading to RCE.
Patch Information:
- Patched Version: 251126
- Release Notes: StreamVault Release 251226
References:
- Advisory: GitHub Security Advisory
- CVE ID: CVE-2025-66203
Additional Recommendations:
- Code Review: Conduct a thorough code review of the
YtDlpUtil.javafile and related components to ensure proper input validation and sanitization. - Penetration Testing: Perform penetration testing to identify and mitigate any additional vulnerabilities in the StreamVault application.
By addressing this vulnerability promptly and implementing robust security measures, organizations can significantly reduce the risk of exploitation and enhance their overall cybersecurity posture.