yt-dlp 2022.7.18 vulnerabilities

Known vulnerabilities in the yt-dlp package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Reliance on Cookies without Validation and Integrity Checking yt-dlp is an A youtube-dl fork with additional features and patches Affected versions of this package are vulnerable to Reliance on Cookies without Validation and Integrity Checking due to improper cookies validation through `YoutubeDL.py`. This vulnerability allows unscoped cookies to be transmitted across domains, potentially leaking sensitive information. How to fix Reliance on Cookies without Validation and Integrity Checking? Upgrade `yt-dlp` to version 2023.9.24 or higher.	[,2023.9.24)
M Directory Traversal yt-dlp is an A youtube-dl fork with additional features and patches Affected versions of this package are vulnerable to Directory Traversal in the `prepend_extension()` function, when downloading files using the `--write-subs`, `--write-auto-subs`, `--all-subs` or `--write-srt` options to include subtitles. An attacker can inject a path traversal string into the `sub_format` parameter, which is interpolated into a string in certain extractors without checks or sanitization. By convincing a user to follow a link preloaded with a malicious parameter value an attacker can write arbitrary files, which may later be executed on the target system. Note: This vulnerability is only exploitable on Windows. How to fix Directory Traversal? Upgrade `yt-dlp` to version 2024.7.1 or higher.	[,2024.7.1)
H OS Command Injection yt-dlp is an A youtube-dl fork with additional features and patches Affected versions of this package are vulnerable to OS Command Injection due to insufficient escaping of double quotes in the `--exec` command's handling of `%q`, leading to the expansion of environment variables. An attacker can execute arbitrary code by crafting specific input that exploits the environment variable expansion feature. How to fix OS Command Injection? Upgrade `yt-dlp` to version 2024.4.9 or higher.	[2021.4.11,2024.4.9)
H OS Command Injection yt-dlp is an A youtube-dl fork with additional features and patches Affected versions of this package are vulnerable to OS Command Injection due to improper escaping of special characters in the `cmd` shell used by Python's `subprocess`, through the `--exec` flag. Note: This is only exploitable if `yt-dlp` is used on Windows, regardless of whether it's run from `cmd` or `PowerShell`. . How to fix OS Command Injection? Upgrade `yt-dlp` to version 2023.9.24 or higher.	[2021.4.11,2023.9.24)
M Information Exposure yt-dlp is an A youtube-dl fork with additional features and patches Affected versions of this package are vulnerable to Information Exposure. During file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest's host. How to fix Information Exposure? Upgrade `yt-dlp` to version 2023.7.6 or higher.	[,2023.7.6)
M Regular Expression Denial of Service (ReDoS) yt-dlp is an A youtube-dl fork with additional features and patches Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression `generic.py` How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `yt-dlp` to version 2023.2.17 or higher.	[,2023.2.17)

Vulnerability

Vulnerable Version

Reliance on Cookies without Validation and Integrity Checking

yt-dlp is an A youtube-dl fork with additional features and patches

Affected versions of this package are vulnerable to Reliance on Cookies without Validation and Integrity Checking due to improper cookies validation through YoutubeDL.py. This vulnerability allows unscoped cookies to be transmitted across domains, potentially leaking sensitive information.

How to fix Reliance on Cookies without Validation and Integrity Checking?

Upgrade yt-dlp to version 2023.9.24 or higher.

[,2023.9.24)

Directory Traversal

yt-dlp is an A youtube-dl fork with additional features and patches

Affected versions of this package are vulnerable to Directory Traversal in the prepend_extension() function, when downloading files using the --write-subs, --write-auto-subs, --all-subs or --write-srt options to include subtitles. An attacker can inject a path traversal string into the sub_format parameter, which is interpolated into a string in certain extractors without checks or sanitization. By convincing a user to follow a link preloaded with a malicious parameter value an attacker can write arbitrary files, which may later be executed on the target system.

Note: This vulnerability is only exploitable on Windows.

How to fix Directory Traversal?

Upgrade yt-dlp to version 2024.7.1 or higher.

[,2024.7.1)

OS Command Injection

yt-dlp is an A youtube-dl fork with additional features and patches

Affected versions of this package are vulnerable to OS Command Injection due to insufficient escaping of double quotes in the --exec command's handling of %q, leading to the expansion of environment variables. An attacker can execute arbitrary code by crafting specific input that exploits the environment variable expansion feature.

How to fix OS Command Injection?

Upgrade yt-dlp to version 2024.4.9 or higher.

[2021.4.11,2024.4.9)

OS Command Injection

yt-dlp is an A youtube-dl fork with additional features and patches

Affected versions of this package are vulnerable to OS Command Injection due to improper escaping of special characters in the cmd shell used by Python's subprocess, through the --exec flag.

Note: This is only exploitable if yt-dlp is used on Windows, regardless of whether it's run from cmd or PowerShell. .

How to fix OS Command Injection?

Upgrade yt-dlp to version 2023.9.24 or higher.

[2021.4.11,2023.9.24)

Information Exposure

yt-dlp is an A youtube-dl fork with additional features and patches

Affected versions of this package are vulnerable to Information Exposure. During file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest's host.

How to fix Information Exposure?

Upgrade yt-dlp to version 2023.7.6 or higher.

[,2023.7.6)

Regular Expression Denial of Service (ReDoS)

yt-dlp is an A youtube-dl fork with additional features and patches

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression generic.py

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade yt-dlp to version 2023.2.17 or higher.

[,2023.2.17)

yt-dlp@2022.7.18 vulnerabilities

A feature-rich command-line audio/video downloader

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?