Advisories for Pypi/Yt-Dlp package

2024

yt-dlp has dependency on potentially malicious third-party code in Douyu extractors

yt-dlp's DouyuTV and DouyuShow extractors used a cdn.bootcdn.net URL as a fallback for fetching a component of the crypto-js JavaScript library. When the Douyu extractor is used, yt-dlp extracts this JavaScript code and attempts to execute it externally using PhantomJS. bootcdn.net is owned by the bad actor responsible for the Polyfill JS supply chain attack that has been ongoing since at least June 2023. While there is no evidence that …

yt-dlp: `--exec` command injection when using `%q` in yt-dlp on Windows (Bypass of CVE-2023-40581)

The patch that addressed CVE-2023-40581 attempted to prevent RCE when using –exec with %q by replacing double quotes with two double quotes. However, this escaping is not sufficient, and still allows expansion of environment variables. Support for output template expansion in –exec, along with this vulnerable behavior, was added to yt-dlp in version 2021.04.11. > yt-dlp "https://youtu.be/42xO6rVqf2E" –ignore-config -f 18 –exec "echo %(title)q" [youtube] Extracting URL: https://youtu.be/42xO6rVqf2E [youtube] 42xO6rVqf2E: Downloading …

2023

yt-dlp Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection

yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases. Version 2023.11.14 removed the ability to smuggle http_headers to the Generic extractor, as well as other extractors that …

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

yt-dlp is a youtube-dl fork with additional features and fixes. yt-dlp allows the user to provide shell command lines to be executed at various stages in its download steps through the –exec flag. This flag allows output template expansion in its argument, so that metadata values may be used in the shell commands. The metadata fields can be combined with the %q conversion, which is intended to quote/escape these values …

URL Redirection to Untrusted Site ('Open Redirect')

yt-dlp is a command-line program to download videos from video sites. During file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest's host. This vulnerable behavior is present in yt-dlp prior to 2023.07.06 and nightly 2023.07.06.185519. All native and external downloaders are affected, except for curl …