zheny-creator YtGrabber-TUI up to 1.0.0 on Linux Setting config.json load_json_settings toctou

Summaryinfo

A vulnerability has been found in zheny-creator YtGrabber-TUI up to 1.0.0 on Linux and classified as problematic. The affected element is the function load_json_settings of the file config.json of the component Setting Handler. The manipulation leads to toctou. This vulnerability is documented as CVE-2025-62511. The attack needs to be performed locally. There is not any exploit available. The affected component should be upgraded.

Detailsinfo

A vulnerability, which was classified as problematic, has been found in zheny-creator YtGrabber-TUI up to 1.0.0 on Linux. This issue affects the function load_json_settings of the file config.json of the component Setting Handler. The manipulation with an unknown input leads to a toctou vulnerability. Using CWE to declare the problem leads to CWE-367. The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state. Impacted is integrity, and availability. The summary by CVE is:

yt-grabber-tui is a C++ terminal user interface application for downloading YouTube content. yt-grabber-tui version 1.0 contains a Time-of-Check to Time-of-Use (TOCTOU) race condition (CWE-367) in the creation of the default configuration file config.json. In version 1.0, load_json_settings in Settings.hpp checks for the existence of config.json using boost::filesystem::exists and, if the file is missing, calls create_json_settings which writes the JSON configuration with boost::property_tree::write_json. A local attacker with write access to the application’s configuration directory (~/.config/yt-grabber-tui on Linux or the current working directory on Windows) can create a symbolic link between the existence check and the subsequent write so that the write operation follows the symlink and overwrites an attacker-chosen file accessible to the running process. This enables arbitrary file overwrite within the privileges of the application process, which can corrupt files and cause loss of application or user data. If the application is executed with elevated privileges, this could extend to system file corruption. The issue is fixed in version 1.0.1.

The advisory is shared at github.com. The identification of this vulnerability is CVE-2025-62511 since 10/15/2025. The exploitation is known to be difficult. An attack has to be approached locally. Technical details are known, but no exploit is available.

By approaching the search of inurl:config.json it is possible to find vulnerable targets with Google Hacking.

Upgrading to version 1.0.1 eliminates this vulnerability. Applying the patch bf065e833820bb4253a70a4c1dc6b843c6d8bf21 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Vendor

• zheny-creator

Name

• YtGrabber-TUI

Version

• 1.0

License

• open-source

Website

• Product: https://github.com/zheny-creator/YtGrabber-TUI/

CPE 2.3info

• 🔒

CPE 2.2info

• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion