yt-dlp@2021.1.29 vulnerabilities

yt-dlp is an A youtube-dl fork with additional features and patches

Affected versions of this package are vulnerable to Directory Traversal in the prepend_extension() function, when downloading files using the --write-subs, --write-auto-subs, --all-subs or --write-srt options to include subtitles. An attacker can inject a path traversal string into the sub_format parameter, which is interpolated into a string in certain extractors without checks or sanitization. By convincing a user to follow a link preloaded with a malicious parameter value an attacker can write arbitrary files, which may later be executed on the target system.

Note: This vulnerability is only exploitable on Windows.

Upgrade yt-dlp to version 2024.7.1 or higher.

yt-dlp is an A youtube-dl fork with additional features and patches

Affected versions of this package are vulnerable to Information Exposure. During file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest's host.

Upgrade yt-dlp to version 2023.7.6 or higher.

yt-dlp is an A youtube-dl fork with additional features and patches

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression generic.py

Upgrade yt-dlp to version 2023.2.17 or higher.