CVE-2025-66203 is a critical OS command injection vulnerability identified in lemon8866's StreamVault product, a video download integration solution. The vulnerability exists in versions prior to 251126 within the SpiritApplication component, specifically in the handling of yt-dlp command-line arguments configured via the /admin/api/saveConfig endpoint. Administrators can supply arguments that are stored globally and later used by YtDlpUtil.java to construct the command line for yt-dlp execution. Due to insufficient input validation or sanitization, an attacker with administrative privileges can inject malicious OS commands, leading to remote code execution (RCE) on the host system. The vulnerability impacts confidentiality, integrity, and availability, as arbitrary commands can be executed with the privileges of the application. The CVSS v3.1 base score is 10.0, reflecting network attack vector (AV:N), low attack complexity (AC:L), required privileges (PR:L), no user interaction (UI:N), scope change (S:C), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no known exploits in the wild have been reported, the criticality of this flaw necessitates immediate remediation. The root cause is improper neutralization of special elements in OS commands (CWE-78), a common and dangerous injection flaw. The vulnerability was reserved on 2025-11-24 and published on 2025-12-26. No patch links were provided, but upgrading to version 251126 or later is indicated as the fix.

For European organizations, this vulnerability poses a severe risk especially to those using StreamVault in media production, broadcasting, or content delivery workflows. Successful exploitation allows attackers with administrative access to execute arbitrary commands remotely, potentially leading to full system compromise, data exfiltration, service disruption, or lateral movement within networks. The impact extends to confidentiality breaches of sensitive video content and intellectual property, integrity loss through unauthorized modifications, and availability disruptions via destructive commands or ransomware deployment. Given the critical CVSS score and the scope change, the vulnerability could affect multiple components or systems beyond the initial application. Organizations with inadequate access controls or exposed administrative interfaces are particularly vulnerable. The lack of required user interaction facilitates automated exploitation once administrative credentials are compromised. This elevates the threat level in environments with weak credential management or insufficient network segmentation. The absence of known exploits in the wild currently provides a small window for proactive defense, but the criticality demands urgent patching and monitoring.

1. Immediately upgrade StreamVault to version 251126 or later where the vulnerability is patched. 2. Restrict access to the /admin/api/saveConfig endpoint strictly to trusted administrators via network segmentation, VPNs, or zero-trust access controls. 3. Implement multi-factor authentication (MFA) for all administrative accounts to reduce the risk of credential compromise. 4. Conduct input validation and sanitization on all parameters used in command-line construction, ensuring special characters are neutralized or disallowed. 5. Monitor logs and network traffic for unusual or unauthorized API calls to the administrative endpoints. 6. Employ application-layer firewalls or runtime application self-protection (RASP) solutions to detect and block command injection attempts. 7. Regularly audit and rotate administrative credentials and review user privileges to minimize exposure. 8. Consider isolating the StreamVault application in a hardened environment with minimal privileges and limited network connectivity to reduce blast radius. 9. Develop and test incident response plans specifically for RCE incidents involving StreamVault or similar applications. 10. Stay informed about vendor advisories and threat intelligence updates related to this vulnerability.