Incorrect Resource Transfer Between Spheres in youtube_dl

Q: How to fix?

A fix was pushed into the master branch but not yet published.

Introduced: 18 Apr 2025

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

youtube_dl is a YouTube video downloader

Affected versions of this package are vulnerable to Incorrect Resource Transfer Between Spheres via improper file extension sanitization, which could create arbitrary filenames in the download folder (and path traversal on Windows). An attacker can modify the file system and execute arbitrary code by crafting malicious filenames that bypass security checks.

Workaround

This vulnerability can be mitigated by ensuring the output template ends with .%(ext)s
Downloading only from trusted websites.
Avoiding downloads to directories within the executable search PATH or other sensitive locations.
Setting NoDefaultCurrentDirectoryInExePath on Windows.
Ensuring downloaded media has a common extension (use --get-filename).
Omitting subtitle download options (--write-subs / --write-srt, --write-auto-subs/--write-automatic-subs, --all-subs).

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Local
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
Passive

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Incorrect Resource Transfer Between Spheres Affecting youtube_dl package, versions [2015.01.25,]

Severity

Do your applications use this vulnerable package?