yt-dlp@2024.5.26 vulnerabilities

A feature-rich command-line audio/video downloader

latest version

2024.11.24.232931.dev0
latest non vulnerable version

2024.11.24.232931.dev0
first published

4 years ago
latest version published

18 hours ago
licenses detected
- Unlicense
  [2024.2.13.232701.dev0,)
View yt-dlp package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the yt-dlp package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Directory Traversal yt-dlp is an A youtube-dl fork with additional features and patches Affected versions of this package are vulnerable to Directory Traversal in the `prepend_extension()` function, when downloading files using the `--write-subs`, `--write-auto-subs`, `--all-subs` or `--write-srt` options to include subtitles. An attacker can inject a path traversal string into the `sub_format` parameter, which is interpolated into a string in certain extractors without checks or sanitization. By convincing a user to follow a link preloaded with a malicious parameter value an attacker can write arbitrary files, which may later be executed on the target system. Note: This vulnerability is only exploitable on Windows. How to fix Directory Traversal? Upgrade `yt-dlp` to version 2024.7.1 or higher.	[,2024.7.1)

Directory Traversal

yt-dlp is an A youtube-dl fork with additional features and patches

Affected versions of this package are vulnerable to Directory Traversal in the prepend_extension() function, when downloading files using the --write-subs, --write-auto-subs, --all-subs or --write-srt options to include subtitles. An attacker can inject a path traversal string into the sub_format parameter, which is interpolated into a string in certain extractors without checks or sanitization. By convincing a user to follow a link preloaded with a malicious parameter value an attacker can write arbitrary files, which may later be executed on the target system.

Note: This vulnerability is only exploitable on Windows.

How to fix Directory Traversal?

Upgrade yt-dlp to version 2024.7.1 or higher.

[,2024.7.1)

Go back to all versions of this package

yt-dlp@2024.5.26 vulnerabilities

A feature-rich command-line audio/video downloader

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities