Advisory Database
  • Advisories
  • Dependency Scanning
  1. pypi
  2. ›
  3. youtube-dl
  4. ›
  5. GHSA-22fp-mf44-f2mq

GHSA-22fp-mf44-f2mq: youtube-dl vulnerable to file system modification and RCE through improper file-extension sanitization

April 18, 2025 (updated May 27, 2025)

This advisory follows the security advisory GHSA-79w7-vh3h-8g4j published by the yt-dlp/yt-dlp project to aid remediation of the issue in the ytdl-org/youtube-dl project.

References

  • github.com/advisories/GHSA-22fp-mf44-f2mq
  • github.com/dirkf/youtube-dl
  • github.com/dirkf/youtube-dl/security/advisories/GHSA-22fp-mf44-f2mq
  • github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j
  • github.com/ytdl-org/youtube-dl/commit/d42a222ed541b96649396ef00e19552aef0f09ec
  • github.com/ytdl-org/youtube-dl/pull/32830
  • nvd.nist.gov/vuln/detail/CVE-2024-38519
  • securitylab.github.com/advisories/GHSL-2024-089_youtube-dl

Code Behaviors & Features

Detect and mitigate GHSA-22fp-mf44-f2mq with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 2015.01.25 up to 2021.12.17

Solution

Unfortunately, there is no solution available yet.

Impact 7.8 HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Learn more about CVSS

Weakness

  • CWE-434: Unrestricted Upload of File with Dangerous Type
  • CWE-669: Incorrect Resource Transfer Between Spheres

Source file

pypi/youtube-dl/GHSA-22fp-mf44-f2mq.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Sat, 23 Aug 2025 00:19:52 +0000.