yt-dlp@2023.3.4 vulnerabilities

yt-dlp is an A youtube-dl fork with additional features and patches

Affected versions of this package are vulnerable to OS Command Injection due to insufficient escaping of double quotes in the --exec command's handling of %q, leading to the expansion of environment variables. An attacker can execute arbitrary code by crafting specific input that exploits the environment variable expansion feature.

Upgrade yt-dlp to version 2024.4.9 or higher.

yt-dlp is an A youtube-dl fork with additional features and patches

Affected versions of this package are vulnerable to External Control of System or Configuration Setting through the Generic Extractor component. An attacker can set an arbitrary proxy for a request to an arbitrary URL, allowing them to perform a Man-in-the-Middle (MITM) attack on the request made from the HTTP session. This could lead to cookie exfiltration in some cases.

Note:

This is only exploitable if the http_headers are smuggled to the Generic extractor, as well as other extractors that use the same pattern.

Upgrade yt-dlp to version 2023.11.14 or higher.

yt-dlp is an A youtube-dl fork with additional features and patches

Affected versions of this package are vulnerable to OS Command Injection due to improper escaping of special characters in the cmd shell used by Python's subprocess, through the --exec flag.

Note: This is only exploitable if yt-dlp is used on Windows, regardless of whether it's run from cmd or PowerShell. .

Upgrade yt-dlp to version 2023.9.24 or higher.

yt-dlp is an A youtube-dl fork with additional features and patches

Affected versions of this package are vulnerable to Information Exposure. During file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest's host.

Upgrade yt-dlp to version 2023.7.6 or higher.