yt-dlp 2023.11.14 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the yt-dlp package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Command Injection yt-dlp is an A youtube-dl fork with additional features and patches Affected versions of this package are vulnerable to Command Injection via the function `parse_cmd` in the class `ExecPP`, which the `--exec` process on Windows uses with the default placeholder. An attacker can execute arbitrary commands by supplying a crafted filepath that is insufficiently sanitized. Note: Users should always be careful when using `--exec`, because using unvalidated input in shell commands is inherently dangerous. How to fix Command Injection? Upgrade `yt-dlp` to version 2025.7.21 or higher.	[,2025.7.21)
M Directory Traversal yt-dlp is an A youtube-dl fork with additional features and patches Affected versions of this package are vulnerable to Directory Traversal in the `prepend_extension()` function, when downloading files using the `--write-subs`, `--write-auto-subs`, `--all-subs` or `--write-srt` options to include subtitles. An attacker can inject a path traversal string into the `sub_format` parameter, which is interpolated into a string in certain extractors without checks or sanitization. By convincing a user to follow a link preloaded with a malicious parameter value an attacker can write arbitrary files, which may later be executed on the target system. Note: This vulnerability is only exploitable on Windows. How to fix Directory Traversal? Upgrade `yt-dlp` to version 2024.7.1 or higher.	[,2024.7.1)
H OS Command Injection yt-dlp is an A youtube-dl fork with additional features and patches Affected versions of this package are vulnerable to OS Command Injection due to insufficient escaping of double quotes in the `--exec` command's handling of `%q`, leading to the expansion of environment variables. An attacker can execute arbitrary code by crafting specific input that exploits the environment variable expansion feature. How to fix OS Command Injection? Upgrade `yt-dlp` to version 2024.4.9 or higher.	[2021.4.11,2024.4.9)

Vulnerability

Vulnerable Version

Command Injection

yt-dlp is an A youtube-dl fork with additional features and patches

Affected versions of this package are vulnerable to Command Injection via the function parse_cmd in the class ExecPP, which the --exec process on Windows uses with the default placeholder. An attacker can execute arbitrary commands by supplying a crafted filepath that is insufficiently sanitized.

Note: Users should always be careful when using --exec, because using unvalidated input in shell commands is inherently dangerous.

How to fix Command Injection?

Upgrade yt-dlp to version 2025.7.21 or higher.

[,2025.7.21)

Directory Traversal

yt-dlp is an A youtube-dl fork with additional features and patches

Affected versions of this package are vulnerable to Directory Traversal in the prepend_extension() function, when downloading files using the --write-subs, --write-auto-subs, --all-subs or --write-srt options to include subtitles. An attacker can inject a path traversal string into the sub_format parameter, which is interpolated into a string in certain extractors without checks or sanitization. By convincing a user to follow a link preloaded with a malicious parameter value an attacker can write arbitrary files, which may later be executed on the target system.

Note: This vulnerability is only exploitable on Windows.

How to fix Directory Traversal?

Upgrade yt-dlp to version 2024.7.1 or higher.

[,2024.7.1)

OS Command Injection

yt-dlp is an A youtube-dl fork with additional features and patches

Affected versions of this package are vulnerable to OS Command Injection due to insufficient escaping of double quotes in the --exec command's handling of %q, leading to the expansion of environment variables. An attacker can execute arbitrary code by crafting specific input that exploits the environment variable expansion feature.

How to fix OS Command Injection?

Upgrade yt-dlp to version 2024.4.9 or higher.

[2021.4.11,2024.4.9)

yt-dlp@2023.11.14 vulnerabilities

A feature-rich command-line audio/video downloader

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically