PyPI: anki

SFTY-20250515-14031

Safety legacy ID: pyup.io-77281

Anki's integration with the mpv media player did not disable the use of youtube-dl (or its fork yt-dlp) by default. On Windows systems, mpv searches for yt-dlp.exe in the system's PATH, which includes the current working directory. This behaviour allowed a malicious shared deck to include a yt-dlp.exe executable in its media folder. When a user opened such a deck and attempted to play a YouTube link, mpv could inadvertently execute the malicious yt-dlp.exe, leading to arbitrary code execution. #NOTE: This vulnerability is specific to Windows operating systems due to the inclusion of the current working directory in the system PATH.

PythonPyPI
Created at: Nov 5, 2025Updated at: Nov 5, 2025

Overview

Anki's integration with the mpv media player did not disable the use of youtube-dl (or its fork yt-dlp) by default. On Windows systems, mpv searches for yt-dlp.exe in the system's PATH, which includes the current working directory. This behaviour allowed a malicious shared deck to include a yt-dlp.exe executable in its media folder. When a user opened such a deck and attempted to play a YouTube link, mpv could inadvertently execute the malicious yt-dlp.exe, leading to arbitrary code execution. #NOTE: This vulnerability is specific to Windows operating systems due to the inclusion of the current working directory in the system PATH.

Advisory

Anki's integration with the mpv media player did not disable the use of youtube-dl (or its fork yt-dlp) by default. On Windows systems, mpv searches for yt-dlp.exe in the system's PATH, which includes the current working directory. This behaviour allowed a malicious shared deck to include a yt-dlp.exe executable in its media folder. When a user opened such a deck and attempted to play a YouTube link, mpv could inadvertently execute the malicious yt-dlp.exe, leading to arbitrary code execution. #NOTE: This vulnerability is specific to Windows operating systems due to the inclusion of the current working directory in the system PATH.

Affected Package

Affecting anki package, versions
<25.02.5

Also affects

---

How to Fix

Upgrade
anki
to
25.2.5
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more