Search criteria
15 vulnerabilities found for yt-dlp by yt-dlp_project
FKIE_CVE-2025-54072
Vulnerability from fkie_nvd - Published: 2025-07-22 22:15 - Updated: 2025-10-09 15:59
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.06.25 and below, when the --exec option is used on Windows with the default placeholder (or {}), insufficient sanitization is applied to the expanded filepath, allowing for remote code execution. This is a bypass of the mitigation for CVE-2024-22423 where the default placeholder and {} were not covered by the new escaping rules. Windows users who are unable to upgrade should avoid using --exec altogether. Instead, the --write-info-json or --dump-json options could be used, with an external script or command line consuming the JSON output. This is fixed in version 2025.07.21.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| yt-dlp_project | yt-dlp | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:yt-dlp_project:yt-dlp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0AC0FE4E-0762-4D11-8413-0C2E17E8289B",
"versionEndExcluding": "2025.07.21",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.06.25 and below, when the --exec option is used on Windows with the default placeholder (or {}), insufficient sanitization is applied to the expanded filepath, allowing for remote code execution. This is a bypass of the mitigation for CVE-2024-22423 where the default placeholder and {} were not covered by the new escaping rules. Windows users who are unable to upgrade should avoid using --exec altogether. Instead, the --write-info-json or --dump-json options could be used, with an external script or command line consuming the JSON output. This is fixed in version 2025.07.21."
},
{
"lang": "es",
"value": "yt-dlp es un descargador de audio y v\u00eddeo de l\u00ednea de comandos con numerosas funciones. En las versiones 2025.06.25 y anteriores, al usar la opci\u00f3n --exec en Windows con el marcador de posici\u00f3n predeterminado (o {}), la ruta de archivo expandida no se depura lo suficiente, lo que permite la ejecuci\u00f3n remota de c\u00f3digo. Esto evita la mitigaci\u00f3n de CVE-2024-22423, donde el marcador de posici\u00f3n predeterminado y {} no estaban cubiertos por las nuevas reglas de escape. Los usuarios de Windows que no puedan actualizar deber\u00edan evitar usar --exec. En su lugar, podr\u00edan usar las opciones --write-info-json o --dump-json, con un script externo o una l\u00ednea de comandos que consume la salida JSON. Esto se solucion\u00f3 en la versi\u00f3n 2025.07.21."
}
],
"id": "CVE-2025-54072",
"lastModified": "2025-10-09T15:59:25.873",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-07-22T22:15:37.943",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/959ac99e98c3215437e573c22d64be42d361e863"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2025.07.21"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-45hg-7f49-5h56"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-3566
Vulnerability from fkie_nvd - Published: 2024-04-10 16:15 - Updated: 2025-11-18 18:16
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2E708195-E45A-411A-AAF5-4417D5C7812B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:haskell:process_library:1.6.19.0:*:*:*:*:*:*:*",
"matchCriteriaId": "755FA0B2-7E78-4416-9FB8-262C56D3E56B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*",
"matchCriteriaId": "FA780E04-1B07-40CA-8B6B-874DE37C3785",
"versionEndIncluding": "21.7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*",
"matchCriteriaId": "58A8B39D-57DF-4D71-BBCA-1D5A19E0A1B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rust-lang:rust:1.77.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E275AF66-3988-4223-9896-43AFFEE4581B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:yt-dlp_project:yt-dlp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9E5FBD75-34B4-4FA0-A38A-3BE8A79B9F7D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n de comandos permite a un atacante realizar inyecci\u00f3n de comandos en aplicaciones de Windows que dependen indirectamente de la funci\u00f3n CreateProcess cuando se cumplen las condiciones espec\u00edficas."
}
],
"id": "CVE-2024-3566",
"lastModified": "2025-11-18T18:16:05.353",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-04-10T16:15:16.083",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/"
},
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory"
],
"url": "https://kb.cert.org/vuls/id/123335"
},
{
"source": "cret@cert.org",
"tags": [
"Technical Description"
],
"url": "https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way"
},
{
"source": "cret@cert.org",
"tags": [
"Not Applicable"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1874"
},
{
"source": "cret@cert.org",
"tags": [
"Not Applicable"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22423"
},
{
"source": "cret@cert.org",
"tags": [
"Not Applicable"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24576"
},
{
"source": "cret@cert.org",
"tags": [
"Not Applicable"
],
"url": "https://www.kb.cert.org/vuls/id/123335"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2024/CVE-2024-3566"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://kb.cert.org/vuls/id/123335"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Technical Description"
],
"url": "https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1874"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22423"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24576"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "https://www.kb.cert.org/vuls/id/123335"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-46121
Vulnerability from fkie_nvd - Published: 2023-11-15 00:15 - Updated: 2024-11-21 08:27
Severity ?
5.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases. Version 2023.11.14 removed the ability to smuggle `http_headers` to the Generic extractor, as well as other extractors that use the same pattern. Users are advised to upgrade. Users unable to upgrade should disable the Ggneric extractor (or only pass trusted sites with trusted content) and ake caution when using `--no-check-certificate`.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| yt-dlp_project | yt-dlp | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:yt-dlp_project:yt-dlp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3FC3CE4C-A093-449A-BB70-CFB7A7FD1EF0",
"versionEndExcluding": "2023.11.14",
"versionStartIncluding": "2022.10.04",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp\u0027s HTTP session. This could lead to cookie exfiltration in some cases. Version 2023.11.14 removed the ability to smuggle `http_headers` to the Generic extractor, as well as other extractors that use the same pattern. Users are advised to upgrade. Users unable to upgrade should disable the Ggneric extractor (or only pass trusted sites with trusted content) and ake caution when using `--no-check-certificate`."
},
{
"lang": "es",
"value": "yt-dlp es una bifurcaci\u00f3n de youtube-dl con funciones y correcciones adicionales. The Generic Extractor en yt-dlp es vulnerable a que un atacante configure un proxy arbitrario para una solicitud en una URL arbitraria, lo que le permite al atacante realizar MITM la solicitud realizada desde la sesi\u00f3n HTTP de yt-dlp. En algunos casos, esto podr\u00eda provocar la exfiltraci\u00f3n de cookies. La versi\u00f3n 2023.11.14 elimin\u00f3 la capacidad de pasar de contrabando `http_headers` al extractor gen\u00e9rico, as\u00ed como a otros extractores que usan el mismo patr\u00f3n. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben desactivar el extractor Ggneric (o solo pasar por sitios confiables con contenido confiable) y tener cuidado al usar `--no-check-certificate`."
}
],
"id": "CVE-2023-46121",
"lastModified": "2024-11-21T08:27:55.360",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-15T00:15:09.470",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/f04b5bedad7b281bee9814686bba1762bae092eb"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.11.14"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3ch3-jhc6-5r8x"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/f04b5bedad7b281bee9814686bba1762bae092eb"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.11.14"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3ch3-jhc6-5r8x"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-444"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-40581
Vulnerability from fkie_nvd - Published: 2023-09-25 19:15 - Updated: 2024-11-21 08:19
Severity ?
8.3 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
yt-dlp is a youtube-dl fork with additional features and fixes. yt-dlp allows the user to provide shell command lines to be executed at various stages in its download steps through the `--exec` flag. This flag allows output template expansion in its argument, so that metadata values may be used in the shell commands. The metadata fields can be combined with the `%q` conversion, which is intended to quote/escape these values so they can be safely passed to the shell. However, the escaping used for `cmd` (the shell used by Python's `subprocess` on Windows) does not properly escape special characters, which can allow for remote code execution if `--exec` is used directly with maliciously crafted remote data. This vulnerability only impacts `yt-dlp` on Windows, and the vulnerability is present regardless of whether `yt-dlp` is run from `cmd` or from `PowerShell`. Support for output template expansion in `--exec`, along with this vulnerable behavior, was added to `yt-dlp` in version 2021.04.11. yt-dlp version 2023.09.24 fixes this issue by properly escaping each special character. `\n` will be replaced by `\r` as no way of escaping it has been found. It is recommended to upgrade yt-dlp to version 2023.09.24 as soon as possible. Also, always be careful when using --exec, because while this specific vulnerability has been patched, using unvalidated input in shell commands is inherently dangerous. For Windows users who are not able to upgrade: 1. Avoid using any output template expansion in --exec other than {} (filepath). 2. If expansion in --exec is needed, verify the fields you are using do not contain ", | or &. 3. Instead of using --exec, write the info json and load the fields from it instead.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| yt-dlp_project | yt-dlp | * | |
| microsoft | windows | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:yt-dlp_project:yt-dlp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AAE6AF84-62B8-469A-9F5D-FC638DCFE350",
"versionEndExcluding": "2023.09.24",
"versionStartIncluding": "2021.04.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "yt-dlp is a youtube-dl fork with additional features and fixes. yt-dlp allows the user to provide shell command lines to be executed at various stages in its download steps through the `--exec` flag. This flag allows output template expansion in its argument, so that metadata values may be used in the shell commands. The metadata fields can be combined with the `%q` conversion, which is intended to quote/escape these values so they can be safely passed to the shell. However, the escaping used for `cmd` (the shell used by Python\u0027s `subprocess` on Windows) does not properly escape special characters, which can allow for remote code execution if `--exec` is used directly with maliciously crafted remote data. This vulnerability only impacts `yt-dlp` on Windows, and the vulnerability is present regardless of whether `yt-dlp` is run from `cmd` or from `PowerShell`. Support for output template expansion in `--exec`, along with this vulnerable behavior, was added to `yt-dlp` in version 2021.04.11. yt-dlp version 2023.09.24 fixes this issue by properly escaping each special character. `\\n` will be replaced by `\\r` as no way of escaping it has been found. It is recommended to upgrade yt-dlp to version 2023.09.24 as soon as possible. Also, always be careful when using --exec, because while this specific vulnerability has been patched, using unvalidated input in shell commands is inherently dangerous. For Windows users who are not able to upgrade: 1. Avoid using any output template expansion in --exec other than {} (filepath). 2. If expansion in --exec is needed, verify the fields you are using do not contain \", | or \u0026. 3. Instead of using --exec, write the info json and load the fields from it instead.\n"
},
{
"lang": "es",
"value": "yt-dlp es un fork de youtube-dl con funciones y correcciones adicionales. yt-dlp permite al usuario proporcionar l\u00edneas de comando de shell para ejecutar en varias etapas de sus pasos de descarga a trav\u00e9s del indicador `--exec`. Este indicador permite la expansi\u00f3n de la plantilla de salida en su argumento, de modo que los valores de metadatos se puedan usar en los comandos del shell. Los campos de metadatos se pueden combinar con la conversi\u00f3n `%q`, cuyo objetivo es citar/escapar estos valores para que puedan pasarse de forma segura al shell. Sin embargo, el escape usado para `cmd` (el shell usado por el `subproceso` de Python en Windows) no escapa adecuadamente a los caracteres especiales, lo que puede permitir la ejecuci\u00f3n remota de c\u00f3digo si `--exec` se usa directamente con datos remotos creados con fines maliciosos. Esta vulnerabilidad solo afecta a \"yt-dlp\" en Windows y est\u00e1 presente independientemente de si \"yt-dlp\" se ejecuta desde \"cmd\" o desde \"PowerShell\". La compatibilidad con la expansi\u00f3n de la plantilla de salida en `--exec`, junto con este comportamiento vulnerable, se agreg\u00f3 a `yt-dlp` en la versi\u00f3n 2021.04.11. La versi\u00f3n 2023.09.24 de yt-dlp soluciona este problema escapando correctamente cada car\u00e1cter especial. `\\n` ser\u00e1 reemplazado por `\\r` ya que no se ha encontrado ninguna forma de escapar. Se recomienda actualizar yt-dlp a la versi\u00f3n 2023.09.24 lo antes posible. Adem\u00e1s, siempre tenga cuidado al usar --exec, porque si bien esta vulnerabilidad espec\u00edfica ha sido parcheada, usar entradas no validadas en los comandos del shell es inherentemente peligroso. Para usuarios de Windows que no pueden actualizar: 1. Evite utilizar cualquier expansi\u00f3n de plantilla de salida en --exec que no sea {} (ruta de archivo). 2. Si se necesita expansi\u00f3n en --exec, verifique que los campos que est\u00e1 usando no contengan \", | o \u0026amp;. 3. En lugar de usar --exec, escriba la informaci\u00f3n json y cargue los campos desde all\u00ed."
}
],
"id": "CVE-2023-40581",
"lastModified": "2024-11-21T08:19:45.480",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-25T19:15:09.960",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.09.24.003044"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/de015e930747165dbb8fcd360f8775fd973b7d6e"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2021.04.11"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.09.24"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.09.24.003044"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/de015e930747165dbb8fcd360f8775fd973b7d6e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2021.04.11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.09.24"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-35934
Vulnerability from fkie_nvd - Published: 2023-07-06 20:15 - Updated: 2024-11-21 08:09
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Summary
yt-dlp is a command-line program to download videos from video sites. During file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest's host. This vulnerable behavior is present in yt-dlp prior to 2023.07.06 and nightly 2023.07.06.185519. All native and external downloaders are affected, except for `curl` and `httpie` (version 3.1.0 or later).
At the file download stage, all cookies are passed by yt-dlp to the file downloader as a `Cookie` header, thereby losing their scope. This also occurs in yt-dlp's info JSON output, which may be used by external tools. As a result, the downloader or external tool may indiscriminately send cookies with requests to domains or paths for which the cookies are not scoped.
yt-dlp version 2023.07.06 and nightly 2023.07.06.185519 fix this issue by removing the `Cookie` header upon HTTP redirects; having native downloaders calculate the `Cookie` header from the cookiejar, utilizing external downloaders' built-in support for cookies instead of passing them as header arguments, disabling HTTP redirectiong if the external downloader does not have proper cookie support, processing cookies passed as HTTP headers to limit their scope, and having a separate field for cookies in the info dict storing more information about scoping
Some workarounds are available for those who are unable to upgrade. Avoid using cookies and user authentication methods. While extractors may set custom cookies, these usually do not contain sensitive information. Alternatively, avoid using `--load-info-json`. Or, if authentication is a must: verify the integrity of download links from unknown sources in browser (including redirects) before passing them to yt-dlp; use `curl` as external downloader, since it is not impacted; and/or avoid fragmented formats such as HLS/m3u8, DASH/mpd and ISM.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| youtube-dlc_project | youtube-dlc | * | |
| yt-dl | youtube-dl | * | |
| yt-dlp_project | yt-dlp | * | |
| yt-dlp_project | yt-dlp | * | |
| fedoraproject | fedora | 37 | |
| fedoraproject | fedora | 38 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:youtube-dlc_project:youtube-dlc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ECBE3AC3-F678-4368-B45C-52058ACA4DF1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:yt-dl:youtube-dl:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DD03CC9F-704E-480B-8D0E-449615BFB249",
"versionStartIncluding": "2015.01.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:yt-dlp_project:yt-dlp:*:*:*:*:-:*:*:*",
"matchCriteriaId": "ECBC5B8D-DE4C-40A9-96DE-7B22E26E375F",
"versionEndExcluding": "2023.07.06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:yt-dlp_project:yt-dlp:*:*:*:*:nightly:*:*:*",
"matchCriteriaId": "40101917-E364-4DA7-8237-3F96DB60B784",
"versionEndExcluding": "2023.07.06.185519",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
"matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*",
"matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "yt-dlp is a command-line program to download videos from video sites. During file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest\u0027s host. This vulnerable behavior is present in yt-dlp prior to 2023.07.06 and nightly 2023.07.06.185519. All native and external downloaders are affected, except for `curl` and `httpie` (version 3.1.0 or later).\n\nAt the file download stage, all cookies are passed by yt-dlp to the file downloader as a `Cookie` header, thereby losing their scope. This also occurs in yt-dlp\u0027s info JSON output, which may be used by external tools. As a result, the downloader or external tool may indiscriminately send cookies with requests to domains or paths for which the cookies are not scoped.\n\nyt-dlp version 2023.07.06 and nightly 2023.07.06.185519 fix this issue by removing the `Cookie` header upon HTTP redirects; having native downloaders calculate the `Cookie` header from the cookiejar, utilizing external downloaders\u0027 built-in support for cookies instead of passing them as header arguments, disabling HTTP redirectiong if the external downloader does not have proper cookie support, processing cookies passed as HTTP headers to limit their scope, and having a separate field for cookies in the info dict storing more information about scoping\n\nSome workarounds are available for those who are unable to upgrade. Avoid using cookies and user authentication methods. While extractors may set custom cookies, these usually do not contain sensitive information. Alternatively, avoid using `--load-info-json`. Or, if authentication is a must: verify the integrity of download links from unknown sources in browser (including redirects) before passing them to yt-dlp; use `curl` as external downloader, since it is not impacted; and/or avoid fragmented formats such as HLS/m3u8, DASH/mpd and ISM."
}
],
"id": "CVE-2023-35934",
"lastModified": "2024-11-21T08:09:00.467",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-06T20:15:09.333",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.07.06.185519"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/1ceb657bdd254ad961489e5060f2ccc7d556b729"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/3121512228487c9c690d3d39bfd2579addf96e07"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/f8b4bcc0a791274223723488bfbfc23ea3276641"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.07.06"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5X6YT6AQE5FHM5VTQLKKJXSYBLLJF26W/"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HEOKCGVONGHR2SYUIXU33A4MKXZBDP6L/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IM44RJL2MR2WG3ZY354C5IUEEZUJGEVA/"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M7E7CQ5S5KMZHAMCNU7V7KYNBVCPLBHG/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.07.06.185519"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/1ceb657bdd254ad961489e5060f2ccc7d556b729"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/3121512228487c9c690d3d39bfd2579addf96e07"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/f8b4bcc0a791274223723488bfbfc23ea3276641"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.07.06"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5X6YT6AQE5FHM5VTQLKKJXSYBLLJF26W/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HEOKCGVONGHR2SYUIXU33A4MKXZBDP6L/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IM44RJL2MR2WG3ZY354C5IUEEZUJGEVA/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M7E7CQ5S5KMZHAMCNU7V7KYNBVCPLBHG/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-54072 (GCVE-0-2025-54072)
Vulnerability from cvelistv5 – Published: 2025-07-22 21:34 – Updated: 2025-07-23 18:30
VLAI?
Title
yt-dlp allows `--exec` command injection when using placeholder on Windows
Summary
yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.06.25 and below, when the --exec option is used on Windows with the default placeholder (or {}), insufficient sanitization is applied to the expanded filepath, allowing for remote code execution. This is a bypass of the mitigation for CVE-2024-22423 where the default placeholder and {} were not covered by the new escaping rules. Windows users who are unable to upgrade should avoid using --exec altogether. Instead, the --write-info-json or --dump-json options could be used, with an external script or command line consuming the JSON output. This is fixed in version 2025.07.21.
Severity ?
7.5 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54072",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-23T18:29:54.467763Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-23T18:30:06.761Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "yt-dlp",
"vendor": "yt-dlp",
"versions": [
{
"status": "affected",
"version": "\u003c 2025.07.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.06.25 and below, when the --exec option is used on Windows with the default placeholder (or {}), insufficient sanitization is applied to the expanded filepath, allowing for remote code execution. This is a bypass of the mitigation for CVE-2024-22423 where the default placeholder and {} were not covered by the new escaping rules. Windows users who are unable to upgrade should avoid using --exec altogether. Instead, the --write-info-json or --dump-json options could be used, with an external script or command line consuming the JSON output. This is fixed in version 2025.07.21."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-22T21:34:43.408Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-45hg-7f49-5h56",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-45hg-7f49-5h56"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/commit/959ac99e98c3215437e573c22d64be42d361e863",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/959ac99e98c3215437e573c22d64be42d361e863"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/releases/tag/2025.07.21",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2025.07.21"
}
],
"source": {
"advisory": "GHSA-45hg-7f49-5h56",
"discovery": "UNKNOWN"
},
"title": "yt-dlp allows `--exec` command injection when using placeholder on Windows"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54072",
"datePublished": "2025-07-22T21:34:43.408Z",
"dateReserved": "2025-07-16T13:22:18.205Z",
"dateUpdated": "2025-07-23T18:30:06.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3566 (GCVE-0-2024-3566)
Vulnerability from cvelistv5 – Published: 2024-04-10 15:22 – Updated: 2025-11-18 17:35
VLAI?
Title
Command injection vulnerability in programing languages on Microsoft Windows operating system.
Summary
A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.
Severity ?
9.8 (Critical)
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Node.js | Node.js |
Affected:
* , ≤ 21.7.2
(custom)
|
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-18T17:35:41.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2024/CVE-2024-3566"
},
{
"tags": [
"x_transferred"
],
"url": "https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/"
},
{
"tags": [
"x_transferred"
],
"url": "https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way"
},
{
"tags": [
"x_transferred"
],
"url": "https://kb.cert.org/vuls/id/123335"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24576"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1874"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22423"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.kb.cert.org/vuls/id/123335"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "nodejs",
"vendor": "nodejs",
"versions": [
{
"lessThanOrEqual": "21.7.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:haskell:process_library:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "process_library",
"vendor": "haskell",
"versions": [
{
"lessThan": "1.6.19.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:rust-lang:rust:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "rust",
"vendor": "rust-lang",
"versions": [
{
"lessThan": "1.77.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:thephpgroup:thephpgroup:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "thephpgroup",
"vendor": "thephpgroup",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:yt-dlp_project:yt-dlp:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "yt-dlp",
"vendor": "yt-dlp_project",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-3566",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-15T16:13:02.290928Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T18:25:43.487Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"Windows"
],
"product": "Node.js",
"vendor": "Node.js",
"versions": [
{
"lessThanOrEqual": "21.7.2",
"status": "affected",
"version": "*",
"versionType": "custom"
}
]
},
{
"platforms": [
"Windows"
],
"product": "GoLang",
"vendor": "Go Programming Language",
"versions": [
{
"status": "affected",
"version": "*"
}
]
},
{
"platforms": [
"Windows"
],
"product": "Haskel",
"vendor": "Haskell Programming Language",
"versions": [
{
"status": "affected",
"version": "*"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-10T15:26:52.009Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/"
},
{
"url": "https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way"
},
{
"url": "https://kb.cert.org/vuls/id/123335"
},
{
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24576"
},
{
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1874"
},
{
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22423"
},
{
"url": "https://www.kb.cert.org/vuls/id/123335"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Command injection vulnerability in programing languages on Microsoft Windows operating system.",
"x_generator": {
"engine": "VINCE 2.1.12",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2024-3566"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2024-3566",
"datePublished": "2024-04-10T15:22:56.099Z",
"dateReserved": "2024-04-10T04:58:27.982Z",
"dateUpdated": "2025-11-18T17:35:41.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-46121 (GCVE-0-2023-46121)
Vulnerability from cvelistv5 – Published: 2023-11-14 23:31 – Updated: 2024-08-29 15:19
VLAI?
Title
Generic Extractor MITM Vulnerability in yt-dlp
Summary
yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases. Version 2023.11.14 removed the ability to smuggle `http_headers` to the Generic extractor, as well as other extractors that use the same pattern. Users are advised to upgrade. Users unable to upgrade should disable the Ggneric extractor (or only pass trusted sites with trusted content) and ake caution when using `--no-check-certificate`.
Severity ?
5 (Medium)
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:39.888Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3ch3-jhc6-5r8x",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3ch3-jhc6-5r8x"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/commit/f04b5bedad7b281bee9814686bba1762bae092eb",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/f04b5bedad7b281bee9814686bba1762bae092eb"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.11.14",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.11.14"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46121",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T15:18:50.836529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T15:19:23.948Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "yt-dlp",
"vendor": "yt-dlp",
"versions": [
{
"status": "affected",
"version": "\u003e= 2022.10.04, \u003c 2023.11.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp\u0027s HTTP session. This could lead to cookie exfiltration in some cases. Version 2023.11.14 removed the ability to smuggle `http_headers` to the Generic extractor, as well as other extractors that use the same pattern. Users are advised to upgrade. Users unable to upgrade should disable the Ggneric extractor (or only pass trusted sites with trusted content) and ake caution when using `--no-check-certificate`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-14T23:31:55.145Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3ch3-jhc6-5r8x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3ch3-jhc6-5r8x"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/commit/f04b5bedad7b281bee9814686bba1762bae092eb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/f04b5bedad7b281bee9814686bba1762bae092eb"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.11.14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.11.14"
}
],
"source": {
"advisory": "GHSA-3ch3-jhc6-5r8x",
"discovery": "UNKNOWN"
},
"title": "Generic Extractor MITM Vulnerability in yt-dlp"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46121",
"datePublished": "2023-11-14T23:31:55.145Z",
"dateReserved": "2023-10-16T17:51:35.571Z",
"dateUpdated": "2024-08-29T15:19:23.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40581 (GCVE-0-2023-40581)
Vulnerability from cvelistv5 – Published: 2023-09-25 18:54 – Updated: 2024-09-24 14:48
VLAI?
Title
yt-dlp command injection when using `%q` in `--exec` on Windows
Summary
yt-dlp is a youtube-dl fork with additional features and fixes. yt-dlp allows the user to provide shell command lines to be executed at various stages in its download steps through the `--exec` flag. This flag allows output template expansion in its argument, so that metadata values may be used in the shell commands. The metadata fields can be combined with the `%q` conversion, which is intended to quote/escape these values so they can be safely passed to the shell. However, the escaping used for `cmd` (the shell used by Python's `subprocess` on Windows) does not properly escape special characters, which can allow for remote code execution if `--exec` is used directly with maliciously crafted remote data. This vulnerability only impacts `yt-dlp` on Windows, and the vulnerability is present regardless of whether `yt-dlp` is run from `cmd` or from `PowerShell`. Support for output template expansion in `--exec`, along with this vulnerable behavior, was added to `yt-dlp` in version 2021.04.11. yt-dlp version 2023.09.24 fixes this issue by properly escaping each special character. `\n` will be replaced by `\r` as no way of escaping it has been found. It is recommended to upgrade yt-dlp to version 2023.09.24 as soon as possible. Also, always be careful when using --exec, because while this specific vulnerability has been patched, using unvalidated input in shell commands is inherently dangerous. For Windows users who are not able to upgrade: 1. Avoid using any output template expansion in --exec other than {} (filepath). 2. If expansion in --exec is needed, verify the fields you are using do not contain ", | or &. 3. Instead of using --exec, write the info json and load the fields from it instead.
Severity ?
8.4 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:38:50.806Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/commit/de015e930747165dbb8fcd360f8775fd973b7d6e",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/de015e930747165dbb8fcd360f8775fd973b7d6e"
},
{
"name": "https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.09.24.003044",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.09.24.003044"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/releases/tag/2021.04.11",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2021.04.11"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.09.24",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.09.24"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:yt-dlp_project:yt-dlp:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "yt-dlp",
"vendor": "yt-dlp_project",
"versions": [
{
"lessThan": "2023.09.24",
"status": "affected",
"version": "2021.04.11",
"versionType": "custom"
},
{
"lessThan": "nightly 2023.09.24.003044",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40581",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T14:45:30.642943Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T14:48:55.952Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "yt-dlp",
"vendor": "yt-dlp",
"versions": [
{
"status": "affected",
"version": "\u003e= 2021.04.11, \u003c 2023.09.24"
},
{
"status": "affected",
"version": "\u003c nightly 2023.09.24.003044"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "yt-dlp is a youtube-dl fork with additional features and fixes. yt-dlp allows the user to provide shell command lines to be executed at various stages in its download steps through the `--exec` flag. This flag allows output template expansion in its argument, so that metadata values may be used in the shell commands. The metadata fields can be combined with the `%q` conversion, which is intended to quote/escape these values so they can be safely passed to the shell. However, the escaping used for `cmd` (the shell used by Python\u0027s `subprocess` on Windows) does not properly escape special characters, which can allow for remote code execution if `--exec` is used directly with maliciously crafted remote data. This vulnerability only impacts `yt-dlp` on Windows, and the vulnerability is present regardless of whether `yt-dlp` is run from `cmd` or from `PowerShell`. Support for output template expansion in `--exec`, along with this vulnerable behavior, was added to `yt-dlp` in version 2021.04.11. yt-dlp version 2023.09.24 fixes this issue by properly escaping each special character. `\\n` will be replaced by `\\r` as no way of escaping it has been found. It is recommended to upgrade yt-dlp to version 2023.09.24 as soon as possible. Also, always be careful when using --exec, because while this specific vulnerability has been patched, using unvalidated input in shell commands is inherently dangerous. For Windows users who are not able to upgrade: 1. Avoid using any output template expansion in --exec other than {} (filepath). 2. If expansion in --exec is needed, verify the fields you are using do not contain \", | or \u0026. 3. Instead of using --exec, write the info json and load the fields from it instead.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-25T18:54:00.204Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/commit/de015e930747165dbb8fcd360f8775fd973b7d6e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/de015e930747165dbb8fcd360f8775fd973b7d6e"
},
{
"name": "https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.09.24.003044",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.09.24.003044"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/releases/tag/2021.04.11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2021.04.11"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.09.24",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.09.24"
}
],
"source": {
"advisory": "GHSA-42h4-v29r-42qg",
"discovery": "UNKNOWN"
},
"title": "yt-dlp command injection when using `%q` in `--exec` on Windows"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-40581",
"datePublished": "2023-09-25T18:54:00.204Z",
"dateReserved": "2023-08-16T18:24:02.391Z",
"dateUpdated": "2024-09-24T14:48:55.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-35934 (GCVE-0-2023-35934)
Vulnerability from cvelistv5 – Published: 2023-07-06 19:39 – Updated: 2025-02-13 16:55
VLAI?
Title
yt-dlp File Downloader cookie leak
Summary
yt-dlp is a command-line program to download videos from video sites. During file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest's host. This vulnerable behavior is present in yt-dlp prior to 2023.07.06 and nightly 2023.07.06.185519. All native and external downloaders are affected, except for `curl` and `httpie` (version 3.1.0 or later).
At the file download stage, all cookies are passed by yt-dlp to the file downloader as a `Cookie` header, thereby losing their scope. This also occurs in yt-dlp's info JSON output, which may be used by external tools. As a result, the downloader or external tool may indiscriminately send cookies with requests to domains or paths for which the cookies are not scoped.
yt-dlp version 2023.07.06 and nightly 2023.07.06.185519 fix this issue by removing the `Cookie` header upon HTTP redirects; having native downloaders calculate the `Cookie` header from the cookiejar, utilizing external downloaders' built-in support for cookies instead of passing them as header arguments, disabling HTTP redirectiong if the external downloader does not have proper cookie support, processing cookies passed as HTTP headers to limit their scope, and having a separate field for cookies in the info dict storing more information about scoping
Some workarounds are available for those who are unable to upgrade. Avoid using cookies and user authentication methods. While extractors may set custom cookies, these usually do not contain sensitive information. Alternatively, avoid using `--load-info-json`. Or, if authentication is a must: verify the integrity of download links from unknown sources in browser (including redirects) before passing them to yt-dlp; use `curl` as external downloader, since it is not impacted; and/or avoid fragmented formats such as HLS/m3u8, DASH/mpd and ISM.
Severity ?
6.1 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:37:40.060Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/commit/1ceb657bdd254ad961489e5060f2ccc7d556b729",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/1ceb657bdd254ad961489e5060f2ccc7d556b729"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/commit/3121512228487c9c690d3d39bfd2579addf96e07",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/3121512228487c9c690d3d39bfd2579addf96e07"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/commit/f8b4bcc0a791274223723488bfbfc23ea3276641",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/f8b4bcc0a791274223723488bfbfc23ea3276641"
},
{
"name": "https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.07.06.185519",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.07.06.185519"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.07.06",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.07.06"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IM44RJL2MR2WG3ZY354C5IUEEZUJGEVA/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5X6YT6AQE5FHM5VTQLKKJXSYBLLJF26W/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HEOKCGVONGHR2SYUIXU33A4MKXZBDP6L/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M7E7CQ5S5KMZHAMCNU7V7KYNBVCPLBHG/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-35934",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T16:47:08.109896Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T16:47:16.262Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "yt-dlp",
"vendor": "yt-dlp",
"versions": [
{
"status": "affected",
"version": "yt-dlp \u003c 2023.07.06"
},
{
"status": "affected",
"version": "yt-dlp \u003c nightly 2023.07.06.185519"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "yt-dlp is a command-line program to download videos from video sites. During file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest\u0027s host. This vulnerable behavior is present in yt-dlp prior to 2023.07.06 and nightly 2023.07.06.185519. All native and external downloaders are affected, except for `curl` and `httpie` (version 3.1.0 or later).\n\nAt the file download stage, all cookies are passed by yt-dlp to the file downloader as a `Cookie` header, thereby losing their scope. This also occurs in yt-dlp\u0027s info JSON output, which may be used by external tools. As a result, the downloader or external tool may indiscriminately send cookies with requests to domains or paths for which the cookies are not scoped.\n\nyt-dlp version 2023.07.06 and nightly 2023.07.06.185519 fix this issue by removing the `Cookie` header upon HTTP redirects; having native downloaders calculate the `Cookie` header from the cookiejar, utilizing external downloaders\u0027 built-in support for cookies instead of passing them as header arguments, disabling HTTP redirectiong if the external downloader does not have proper cookie support, processing cookies passed as HTTP headers to limit their scope, and having a separate field for cookies in the info dict storing more information about scoping\n\nSome workarounds are available for those who are unable to upgrade. Avoid using cookies and user authentication methods. While extractors may set custom cookies, these usually do not contain sensitive information. Alternatively, avoid using `--load-info-json`. Or, if authentication is a must: verify the integrity of download links from unknown sources in browser (including redirects) before passing them to yt-dlp; use `curl` as external downloader, since it is not impacted; and/or avoid fragmented formats such as HLS/m3u8, DASH/mpd and ISM."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-25T02:06:11.506Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/commit/1ceb657bdd254ad961489e5060f2ccc7d556b729",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/1ceb657bdd254ad961489e5060f2ccc7d556b729"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/commit/3121512228487c9c690d3d39bfd2579addf96e07",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/3121512228487c9c690d3d39bfd2579addf96e07"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/commit/f8b4bcc0a791274223723488bfbfc23ea3276641",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/f8b4bcc0a791274223723488bfbfc23ea3276641"
},
{
"name": "https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.07.06.185519",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.07.06.185519"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.07.06",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.07.06"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IM44RJL2MR2WG3ZY354C5IUEEZUJGEVA/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5X6YT6AQE5FHM5VTQLKKJXSYBLLJF26W/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HEOKCGVONGHR2SYUIXU33A4MKXZBDP6L/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M7E7CQ5S5KMZHAMCNU7V7KYNBVCPLBHG/"
}
],
"source": {
"advisory": "GHSA-v8mc-9377-rwjj",
"discovery": "UNKNOWN"
},
"title": "yt-dlp File Downloader cookie leak"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-35934",
"datePublished": "2023-07-06T19:39:49.656Z",
"dateReserved": "2023-06-20T14:02:45.593Z",
"dateUpdated": "2025-02-13T16:55:56.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54072 (GCVE-0-2025-54072)
Vulnerability from nvd – Published: 2025-07-22 21:34 – Updated: 2025-07-23 18:30
VLAI?
Title
yt-dlp allows `--exec` command injection when using placeholder on Windows
Summary
yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.06.25 and below, when the --exec option is used on Windows with the default placeholder (or {}), insufficient sanitization is applied to the expanded filepath, allowing for remote code execution. This is a bypass of the mitigation for CVE-2024-22423 where the default placeholder and {} were not covered by the new escaping rules. Windows users who are unable to upgrade should avoid using --exec altogether. Instead, the --write-info-json or --dump-json options could be used, with an external script or command line consuming the JSON output. This is fixed in version 2025.07.21.
Severity ?
7.5 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54072",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-23T18:29:54.467763Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-23T18:30:06.761Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "yt-dlp",
"vendor": "yt-dlp",
"versions": [
{
"status": "affected",
"version": "\u003c 2025.07.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.06.25 and below, when the --exec option is used on Windows with the default placeholder (or {}), insufficient sanitization is applied to the expanded filepath, allowing for remote code execution. This is a bypass of the mitigation for CVE-2024-22423 where the default placeholder and {} were not covered by the new escaping rules. Windows users who are unable to upgrade should avoid using --exec altogether. Instead, the --write-info-json or --dump-json options could be used, with an external script or command line consuming the JSON output. This is fixed in version 2025.07.21."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-22T21:34:43.408Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-45hg-7f49-5h56",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-45hg-7f49-5h56"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/commit/959ac99e98c3215437e573c22d64be42d361e863",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/959ac99e98c3215437e573c22d64be42d361e863"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/releases/tag/2025.07.21",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2025.07.21"
}
],
"source": {
"advisory": "GHSA-45hg-7f49-5h56",
"discovery": "UNKNOWN"
},
"title": "yt-dlp allows `--exec` command injection when using placeholder on Windows"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54072",
"datePublished": "2025-07-22T21:34:43.408Z",
"dateReserved": "2025-07-16T13:22:18.205Z",
"dateUpdated": "2025-07-23T18:30:06.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3566 (GCVE-0-2024-3566)
Vulnerability from nvd – Published: 2024-04-10 15:22 – Updated: 2025-11-18 17:35
VLAI?
Title
Command injection vulnerability in programing languages on Microsoft Windows operating system.
Summary
A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.
Severity ?
9.8 (Critical)
CWE
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Node.js | Node.js |
Affected:
* , ≤ 21.7.2
(custom)
|
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-18T17:35:41.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2024/CVE-2024-3566"
},
{
"tags": [
"x_transferred"
],
"url": "https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/"
},
{
"tags": [
"x_transferred"
],
"url": "https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way"
},
{
"tags": [
"x_transferred"
],
"url": "https://kb.cert.org/vuls/id/123335"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24576"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1874"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22423"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.kb.cert.org/vuls/id/123335"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "nodejs",
"vendor": "nodejs",
"versions": [
{
"lessThanOrEqual": "21.7.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:haskell:process_library:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "process_library",
"vendor": "haskell",
"versions": [
{
"lessThan": "1.6.19.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:rust-lang:rust:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "rust",
"vendor": "rust-lang",
"versions": [
{
"lessThan": "1.77.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:thephpgroup:thephpgroup:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "thephpgroup",
"vendor": "thephpgroup",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:yt-dlp_project:yt-dlp:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "yt-dlp",
"vendor": "yt-dlp_project",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-3566",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-15T16:13:02.290928Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T18:25:43.487Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"Windows"
],
"product": "Node.js",
"vendor": "Node.js",
"versions": [
{
"lessThanOrEqual": "21.7.2",
"status": "affected",
"version": "*",
"versionType": "custom"
}
]
},
{
"platforms": [
"Windows"
],
"product": "GoLang",
"vendor": "Go Programming Language",
"versions": [
{
"status": "affected",
"version": "*"
}
]
},
{
"platforms": [
"Windows"
],
"product": "Haskel",
"vendor": "Haskell Programming Language",
"versions": [
{
"status": "affected",
"version": "*"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-10T15:26:52.009Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/"
},
{
"url": "https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way"
},
{
"url": "https://kb.cert.org/vuls/id/123335"
},
{
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24576"
},
{
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1874"
},
{
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22423"
},
{
"url": "https://www.kb.cert.org/vuls/id/123335"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Command injection vulnerability in programing languages on Microsoft Windows operating system.",
"x_generator": {
"engine": "VINCE 2.1.12",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2024-3566"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2024-3566",
"datePublished": "2024-04-10T15:22:56.099Z",
"dateReserved": "2024-04-10T04:58:27.982Z",
"dateUpdated": "2025-11-18T17:35:41.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-46121 (GCVE-0-2023-46121)
Vulnerability from nvd – Published: 2023-11-14 23:31 – Updated: 2024-08-29 15:19
VLAI?
Title
Generic Extractor MITM Vulnerability in yt-dlp
Summary
yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases. Version 2023.11.14 removed the ability to smuggle `http_headers` to the Generic extractor, as well as other extractors that use the same pattern. Users are advised to upgrade. Users unable to upgrade should disable the Ggneric extractor (or only pass trusted sites with trusted content) and ake caution when using `--no-check-certificate`.
Severity ?
5 (Medium)
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:39.888Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3ch3-jhc6-5r8x",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3ch3-jhc6-5r8x"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/commit/f04b5bedad7b281bee9814686bba1762bae092eb",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/f04b5bedad7b281bee9814686bba1762bae092eb"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.11.14",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.11.14"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46121",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T15:18:50.836529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T15:19:23.948Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "yt-dlp",
"vendor": "yt-dlp",
"versions": [
{
"status": "affected",
"version": "\u003e= 2022.10.04, \u003c 2023.11.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp\u0027s HTTP session. This could lead to cookie exfiltration in some cases. Version 2023.11.14 removed the ability to smuggle `http_headers` to the Generic extractor, as well as other extractors that use the same pattern. Users are advised to upgrade. Users unable to upgrade should disable the Ggneric extractor (or only pass trusted sites with trusted content) and ake caution when using `--no-check-certificate`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-14T23:31:55.145Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3ch3-jhc6-5r8x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3ch3-jhc6-5r8x"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/commit/f04b5bedad7b281bee9814686bba1762bae092eb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/f04b5bedad7b281bee9814686bba1762bae092eb"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.11.14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.11.14"
}
],
"source": {
"advisory": "GHSA-3ch3-jhc6-5r8x",
"discovery": "UNKNOWN"
},
"title": "Generic Extractor MITM Vulnerability in yt-dlp"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46121",
"datePublished": "2023-11-14T23:31:55.145Z",
"dateReserved": "2023-10-16T17:51:35.571Z",
"dateUpdated": "2024-08-29T15:19:23.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40581 (GCVE-0-2023-40581)
Vulnerability from nvd – Published: 2023-09-25 18:54 – Updated: 2024-09-24 14:48
VLAI?
Title
yt-dlp command injection when using `%q` in `--exec` on Windows
Summary
yt-dlp is a youtube-dl fork with additional features and fixes. yt-dlp allows the user to provide shell command lines to be executed at various stages in its download steps through the `--exec` flag. This flag allows output template expansion in its argument, so that metadata values may be used in the shell commands. The metadata fields can be combined with the `%q` conversion, which is intended to quote/escape these values so they can be safely passed to the shell. However, the escaping used for `cmd` (the shell used by Python's `subprocess` on Windows) does not properly escape special characters, which can allow for remote code execution if `--exec` is used directly with maliciously crafted remote data. This vulnerability only impacts `yt-dlp` on Windows, and the vulnerability is present regardless of whether `yt-dlp` is run from `cmd` or from `PowerShell`. Support for output template expansion in `--exec`, along with this vulnerable behavior, was added to `yt-dlp` in version 2021.04.11. yt-dlp version 2023.09.24 fixes this issue by properly escaping each special character. `\n` will be replaced by `\r` as no way of escaping it has been found. It is recommended to upgrade yt-dlp to version 2023.09.24 as soon as possible. Also, always be careful when using --exec, because while this specific vulnerability has been patched, using unvalidated input in shell commands is inherently dangerous. For Windows users who are not able to upgrade: 1. Avoid using any output template expansion in --exec other than {} (filepath). 2. If expansion in --exec is needed, verify the fields you are using do not contain ", | or &. 3. Instead of using --exec, write the info json and load the fields from it instead.
Severity ?
8.4 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:38:50.806Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/commit/de015e930747165dbb8fcd360f8775fd973b7d6e",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/de015e930747165dbb8fcd360f8775fd973b7d6e"
},
{
"name": "https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.09.24.003044",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.09.24.003044"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/releases/tag/2021.04.11",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2021.04.11"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.09.24",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.09.24"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:yt-dlp_project:yt-dlp:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "yt-dlp",
"vendor": "yt-dlp_project",
"versions": [
{
"lessThan": "2023.09.24",
"status": "affected",
"version": "2021.04.11",
"versionType": "custom"
},
{
"lessThan": "nightly 2023.09.24.003044",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40581",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T14:45:30.642943Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T14:48:55.952Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "yt-dlp",
"vendor": "yt-dlp",
"versions": [
{
"status": "affected",
"version": "\u003e= 2021.04.11, \u003c 2023.09.24"
},
{
"status": "affected",
"version": "\u003c nightly 2023.09.24.003044"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "yt-dlp is a youtube-dl fork with additional features and fixes. yt-dlp allows the user to provide shell command lines to be executed at various stages in its download steps through the `--exec` flag. This flag allows output template expansion in its argument, so that metadata values may be used in the shell commands. The metadata fields can be combined with the `%q` conversion, which is intended to quote/escape these values so they can be safely passed to the shell. However, the escaping used for `cmd` (the shell used by Python\u0027s `subprocess` on Windows) does not properly escape special characters, which can allow for remote code execution if `--exec` is used directly with maliciously crafted remote data. This vulnerability only impacts `yt-dlp` on Windows, and the vulnerability is present regardless of whether `yt-dlp` is run from `cmd` or from `PowerShell`. Support for output template expansion in `--exec`, along with this vulnerable behavior, was added to `yt-dlp` in version 2021.04.11. yt-dlp version 2023.09.24 fixes this issue by properly escaping each special character. `\\n` will be replaced by `\\r` as no way of escaping it has been found. It is recommended to upgrade yt-dlp to version 2023.09.24 as soon as possible. Also, always be careful when using --exec, because while this specific vulnerability has been patched, using unvalidated input in shell commands is inherently dangerous. For Windows users who are not able to upgrade: 1. Avoid using any output template expansion in --exec other than {} (filepath). 2. If expansion in --exec is needed, verify the fields you are using do not contain \", | or \u0026. 3. Instead of using --exec, write the info json and load the fields from it instead.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-25T18:54:00.204Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/commit/de015e930747165dbb8fcd360f8775fd973b7d6e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/de015e930747165dbb8fcd360f8775fd973b7d6e"
},
{
"name": "https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.09.24.003044",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.09.24.003044"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/releases/tag/2021.04.11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2021.04.11"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.09.24",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.09.24"
}
],
"source": {
"advisory": "GHSA-42h4-v29r-42qg",
"discovery": "UNKNOWN"
},
"title": "yt-dlp command injection when using `%q` in `--exec` on Windows"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-40581",
"datePublished": "2023-09-25T18:54:00.204Z",
"dateReserved": "2023-08-16T18:24:02.391Z",
"dateUpdated": "2024-09-24T14:48:55.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-35934 (GCVE-0-2023-35934)
Vulnerability from nvd – Published: 2023-07-06 19:39 – Updated: 2025-02-13 16:55
VLAI?
Title
yt-dlp File Downloader cookie leak
Summary
yt-dlp is a command-line program to download videos from video sites. During file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest's host. This vulnerable behavior is present in yt-dlp prior to 2023.07.06 and nightly 2023.07.06.185519. All native and external downloaders are affected, except for `curl` and `httpie` (version 3.1.0 or later).
At the file download stage, all cookies are passed by yt-dlp to the file downloader as a `Cookie` header, thereby losing their scope. This also occurs in yt-dlp's info JSON output, which may be used by external tools. As a result, the downloader or external tool may indiscriminately send cookies with requests to domains or paths for which the cookies are not scoped.
yt-dlp version 2023.07.06 and nightly 2023.07.06.185519 fix this issue by removing the `Cookie` header upon HTTP redirects; having native downloaders calculate the `Cookie` header from the cookiejar, utilizing external downloaders' built-in support for cookies instead of passing them as header arguments, disabling HTTP redirectiong if the external downloader does not have proper cookie support, processing cookies passed as HTTP headers to limit their scope, and having a separate field for cookies in the info dict storing more information about scoping
Some workarounds are available for those who are unable to upgrade. Avoid using cookies and user authentication methods. While extractors may set custom cookies, these usually do not contain sensitive information. Alternatively, avoid using `--load-info-json`. Or, if authentication is a must: verify the integrity of download links from unknown sources in browser (including redirects) before passing them to yt-dlp; use `curl` as external downloader, since it is not impacted; and/or avoid fragmented formats such as HLS/m3u8, DASH/mpd and ISM.
Severity ?
6.1 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:37:40.060Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/commit/1ceb657bdd254ad961489e5060f2ccc7d556b729",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/1ceb657bdd254ad961489e5060f2ccc7d556b729"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/commit/3121512228487c9c690d3d39bfd2579addf96e07",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/3121512228487c9c690d3d39bfd2579addf96e07"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/commit/f8b4bcc0a791274223723488bfbfc23ea3276641",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/f8b4bcc0a791274223723488bfbfc23ea3276641"
},
{
"name": "https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.07.06.185519",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.07.06.185519"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.07.06",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.07.06"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IM44RJL2MR2WG3ZY354C5IUEEZUJGEVA/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5X6YT6AQE5FHM5VTQLKKJXSYBLLJF26W/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HEOKCGVONGHR2SYUIXU33A4MKXZBDP6L/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M7E7CQ5S5KMZHAMCNU7V7KYNBVCPLBHG/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-35934",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T16:47:08.109896Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T16:47:16.262Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "yt-dlp",
"vendor": "yt-dlp",
"versions": [
{
"status": "affected",
"version": "yt-dlp \u003c 2023.07.06"
},
{
"status": "affected",
"version": "yt-dlp \u003c nightly 2023.07.06.185519"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "yt-dlp is a command-line program to download videos from video sites. During file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest\u0027s host. This vulnerable behavior is present in yt-dlp prior to 2023.07.06 and nightly 2023.07.06.185519. All native and external downloaders are affected, except for `curl` and `httpie` (version 3.1.0 or later).\n\nAt the file download stage, all cookies are passed by yt-dlp to the file downloader as a `Cookie` header, thereby losing their scope. This also occurs in yt-dlp\u0027s info JSON output, which may be used by external tools. As a result, the downloader or external tool may indiscriminately send cookies with requests to domains or paths for which the cookies are not scoped.\n\nyt-dlp version 2023.07.06 and nightly 2023.07.06.185519 fix this issue by removing the `Cookie` header upon HTTP redirects; having native downloaders calculate the `Cookie` header from the cookiejar, utilizing external downloaders\u0027 built-in support for cookies instead of passing them as header arguments, disabling HTTP redirectiong if the external downloader does not have proper cookie support, processing cookies passed as HTTP headers to limit their scope, and having a separate field for cookies in the info dict storing more information about scoping\n\nSome workarounds are available for those who are unable to upgrade. Avoid using cookies and user authentication methods. While extractors may set custom cookies, these usually do not contain sensitive information. Alternatively, avoid using `--load-info-json`. Or, if authentication is a must: verify the integrity of download links from unknown sources in browser (including redirects) before passing them to yt-dlp; use `curl` as external downloader, since it is not impacted; and/or avoid fragmented formats such as HLS/m3u8, DASH/mpd and ISM."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-25T02:06:11.506Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/commit/1ceb657bdd254ad961489e5060f2ccc7d556b729",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/1ceb657bdd254ad961489e5060f2ccc7d556b729"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/commit/3121512228487c9c690d3d39bfd2579addf96e07",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/3121512228487c9c690d3d39bfd2579addf96e07"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/commit/f8b4bcc0a791274223723488bfbfc23ea3276641",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yt-dlp/yt-dlp/commit/f8b4bcc0a791274223723488bfbfc23ea3276641"
},
{
"name": "https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.07.06.185519",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.07.06.185519"
},
{
"name": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.07.06",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.07.06"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IM44RJL2MR2WG3ZY354C5IUEEZUJGEVA/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5X6YT6AQE5FHM5VTQLKKJXSYBLLJF26W/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HEOKCGVONGHR2SYUIXU33A4MKXZBDP6L/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M7E7CQ5S5KMZHAMCNU7V7KYNBVCPLBHG/"
}
],
"source": {
"advisory": "GHSA-v8mc-9377-rwjj",
"discovery": "UNKNOWN"
},
"title": "yt-dlp File Downloader cookie leak"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-35934",
"datePublished": "2023-07-06T19:39:49.656Z",
"dateReserved": "2023-06-20T14:02:45.593Z",
"dateUpdated": "2025-02-13T16:55:56.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}