| Title | Aandrew-me ytDownloader 3.20.2 Command Injection |
|---|
| Description | Summary
A command injection vulnerability exists in the ytDownloader compressor feature. The issue is caused by constructing a single ffmpeg command string from file-system paths and executing it with Node.js child_process.exec(). Because exec() invokes a shell, untrusted file names are treated as shell-interpreted input rather than as isolated process arguments.
On Linux and macOS, where file names may contain a double quote character, a specially crafted file name can break the intended quoting and alter command parsing. If a user selects or drags such a file into the compressor UI and starts compression, arbitrary commands may execute with the privileges of the current user.
Affected Product
Product: ytDownloader
Repository: https://github.com/aandrew-me/ytDownloader
Affected version: 3.20.2
Severity
High
CVSS v3.1 Score: 8.2
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Technical Details
The vulnerable code is located in src/compressor.js.
The compressor flow accepts files from the user through drag-and-drop or the file picker UI. For each selected file, the application derives an output path and builds an ffmpeg command as a single string. That command is then executed with child_process.exec().
The problem is that both file.path and the derived outputPath are interpolated directly into a shell command string and are only wrapped in double quotes. This is not a safe way to pass untrusted paths to a shell. If the file name contains shell-significant characters, the intended argument boundary can be broken and the shell may interpret attacker-controlled input as command syntax.
Impact
Successful exploitation can lead to arbitrary command execution in the context of the current user.
This may allow an attacker to:
execute local commands
modify or delete files accessible to the user
access sensitive user data
disrupt availability of the application or user environment
The issue requires user interaction and local file delivery, but the resulting impact is still significant because the sink is direct shell execution.
Reproduction Notes
The issue can be validated safely without executing any unintended payload.
A non-destructive verification approach is:
On Linux or macOS, Create a minimal test PNG file: bash printf '\x89PNG\r\n\x1a\n\x00\x00\x00\rIHDR\x00\x00\x00\x01\x00\x00\x00\x01\x08\x02\x00\x00\x00\x90wS\xde\x00\x00\x00\x0cIDATx\x9cc\xf8\x0f\x00\x00\x01\x01\x00\x05\x18\r\xa2d\x00\x00\x00\x00IEND\xaeB`\x82' > base.png
Copy the file to a new name that contains a double quote character and additional shell-significant characters: cp base.png 'i1.png" & touch inject.txt & echo ".png'
Open ytDownloader and select the Compressor feature.
Choose file: 'i1.png" & touch inject.txt & echo ".png'
Observe and see the injected.txt file that has been created in the current directory.
This demonstrates that the application is vulnerable to command injection through file-path handling.
Root Cause
The root cause is the use of child_process.exec() with a constructed shell command string containing untrusted file paths.
Instead of invoking ffmpeg through a shell, the application should execute ffmpeg directly and pass arguments as an array. The current implementation incorrectly relies on ad hoc quoting, which is insufficient for shell safety.
Recommended Remediation
The vulnerable implementation should be replaced with a non-shell process invocation model.
Recommended remediation:
replace child_process.exec(commandString) with child_process.spawn() or execFile()
construct ffmpeg arguments as an array
pass file.path and outputPath as raw process arguments, not shell-quoted string fragments
avoid all shell interpretation for media-processing commands
This removes the shell injection surface entirely.
PoC
PoC video
https://github.com/ngocnn97/security-advisories/blob/main/YtDownloader_Command_Injection_PoC.mp4
Disclosure Timeline
Vulnerability discovered: 09/03/2026
Reported privately to maintainer: 11/03/2026
Maintainer acknowledged the issue: 11/03/2026
Public advisory published: 11/03/2026
Vendor Status
The maintainer has acknowledged the issue and indicated that a fix is in progress. |
|---|
| Source | ⚠️ https://github.com/ngocnn97/security-advisories/blob/main/YtDownloader_Command_Injection_PoC.mp4 |
|---|
| User | ngocnn97 (UID 96701) |
|---|
| Submission | 03/23/2026 02:46 (23 days ago) |
|---|
| Moderation | 04/13/2026 15:30 (21 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 357140 [aandrew-me ytDownloader up to 3.20.2 Compressor Feature src/compressor.js child_process.exec command injection] |
|---|
| Points | 20 |
|---|