Information Exposure Affecting yt-dlp package, versions [,2023.7.6)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-YTDLP-5759276
- published 7 Jul 2023
- disclosed 7 Jul 2023
- credit Grub4K, bashonly, coletdjnz
Introduced: 7 Jul 2023
CVE-2023-35934 Open this link in a new tabHow to fix?
Upgrade yt-dlp
to version 2023.7.6 or higher.
Overview
yt-dlp is an A youtube-dl fork with additional features and patches
Affected versions of this package are vulnerable to Information Exposure. During file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest's host.
Workaround
Avoid using cookies and user authentication methods. While extractors may set custom cookies, these usually do not contain sensitive information. Alternatively, avoid using --load-info-json
. Or, if authentication is a must: verify the integrity of download links from unknown sources in browser (including redirects) before passing them to yt-dlp; use curl
as external downloader, since it is not impacted; and/or avoid fragmented formats such as HLS/m3u8, DASH/mpd and ISM.