Homepage
About Snyk

External Control of System or Configuration Setting Affecting yt-dlp package, versions [2022.10.4,2023.11.14)

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.06% (25th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-YTDLP-6057585
  • published 15 Nov 2023
  • disclosed 15 Nov 2023
  • credit coletdjnz
Report a new vulnerability Found a mistake?

Introduced: 15 Nov 2023

CVE-2023-46121 Open this link in a new tab
CWE-15 Open this link in a new tab

How to fix?

Upgrade yt-dlp to version 2023.11.14 or higher.

Overview

yt-dlp is an A youtube-dl fork with additional features and patches

Affected versions of this package are vulnerable to External Control of System or Configuration Setting through the Generic Extractor component. An attacker can set an arbitrary proxy for a request to an arbitrary URL, allowing them to perform a Man-in-the-Middle (MITM) attack on the request made from the HTTP session. This could lead to cookie exfiltration in some cases.

Note:

This is only exploitable if the http_headers are smuggled to the Generic extractor, as well as other extractors that use the same pattern.

Workaround

This vulnerability can be mitigated by disabling the Generic extractor (or only passing trusted sites with trusted content) and taking caution when using --no-check-certificate.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
5 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    Required
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    Low
  • Availability (A)
    Low
Expand this section

NVD

3.7 low