CVE-2025-62185 is a vulnerability classified as CWE-427 (Uncontrolled Search Path Element) affecting Ankitects Anki versions prior to 25.02.5. The flaw arises because Anki executes certain executables located in the media folder when processing YouTube links embedded in shared decks. An attacker can craft a malicious shared deck that includes a YouTube downloader executable—such as youtube-dl.exe, yt-dlp.exe, or yt-dlp_x86.exe—in the media folder. When the victim opens the deck and accesses the YouTube link, the malicious executable is run automatically. This behavior allows an attacker to execute arbitrary code on the victim’s system with the privileges of the user running Anki. The vulnerability does not require user interaction beyond opening the deck and clicking the link, and no prior authentication or elevated privileges are needed. The CVSS v3.1 score is 6.7 (medium severity), reflecting a local attack vector with high confidentiality and integrity impact but high attack complexity. No known exploits have been reported in the wild as of the publication date. The root cause is the lack of validation or control over executables in the media folder and the unsafe execution of these files when processing YouTube links. This vulnerability highlights the risks of executing external binaries from user-supplied content without strict validation or sandboxing.

For European organizations, especially those in education, research, or any sector using Anki for knowledge management, this vulnerability poses a risk of arbitrary code execution leading to data theft, manipulation, or disruption of learning environments. Confidentiality is at high risk since malicious executables could exfiltrate sensitive information stored or accessed via Anki. Integrity is also compromised as attackers could alter or corrupt data or learning content. Availability impact is low as the vulnerability does not directly cause denial of service. The attack requires local access to the victim’s media folder, so it is more likely to be exploited via social engineering (e.g., sharing malicious decks) or insider threats. European organizations with decentralized or less controlled software environments may be more vulnerable. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as Anki is popular in academic and professional training contexts across Europe.

1. Upgrade Anki to version 25.02.5 or later where this vulnerability is fixed. 2. Implement strict access controls on the media folder to prevent unauthorized write or modification of executables. 3. Educate users to avoid opening shared decks from untrusted sources and to verify the origin of shared content. 4. Use application whitelisting or endpoint protection solutions to detect and block execution of unauthorized binaries in Anki’s media folder. 5. Consider sandboxing or running Anki in a restricted environment to limit the impact of potential code execution. 6. Monitor systems for suspicious activity related to execution of youtube-dl.exe, yt-dlp.exe, or similar tools. 7. Encourage organizational policies to validate and scan shared decks before distribution or use.