Coletdjnz

**Name of the Vulnerable Software and Affected Versions** yt-dlp versions prior to 2023.11.14 **Description** The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary URL, allowing the attacker to perform a Man-In-The-Middle (MITM) attack on the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases. The issue arises from the ability to smuggle HTTP headers, including proxy settings, to the Generic extractor through a URL. An attacker can exploit this to set an arbitrary proxy for an arbitrary URL that the Generic extractor will request, potentially allowing them to intercept cookies not marked as secure. **Recommendations** For versions prior to 2023.11.14, upgrade to version 2023.11.14 or later to remove the ability to smuggle HTTP headers to the Generic extractor. As a temporary workaround, consider disabling the Generic extractor by using the `--ies default,-generic` option, or only pass trusted sites with trusted content to minimize the risk of exploitation. Take caution when using the `--no-check-certificate` option to avoid increasing the vulnerability to MITM attacks.

**Name of the Vulnerable Software and Affected Versions** yt-dlp versions 2021.04.11 through 2023.09.23 **Description** The issue arises from the improper escaping of special characters in shell commands executed through the `--exec` flag, allowing for remote code execution if used with maliciously crafted remote data. This vulnerability only impacts yt-dlp on Windows and is present regardless of whether yt-dlp is run from cmd or PowerShell. The estimated number of potentially affected devices is not specified. The `--exec` flag allows output template expansion in its argument, enabling metadata values to be used in shell commands. However, the escaping used for `cmd` (the shell used by Python's `subprocess` on Windows) does not properly escape special characters. The metadata fields can be combined with the `%q` conversion, which is intended to quote/escape these values so they can be safely passed to the shell. **Recommendations** To resolve the issue for each affected version, follow these steps: - Upgrade yt-dlp to version 2023.09.24 as soon as possible. - Avoid using any output template expansion in `--exec` other than {} (filepath). - If expansion in `--exec` is needed, verify the fields you are using do not contain `, |` or `&`. - Instead of using `--exec`, write the info json and load the fields from it instead.

**Name of the Vulnerable Software and Affected Versions** yt-dlp versions prior to 2023.07.06 yt-dlp nightly versions prior to 2023.07.06.185519 **Description** During file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest's host. This occurs because all cookies are passed by yt-dlp to the file downloader as a `Cookie` header, losing their scope. The issue is present in all native and external downloaders, except for `curl` and `httpie` (version 3.1.0 or later). As a result, the downloader or external tool may indiscriminately send cookies with requests to domains or paths for which the cookies are not scoped. **Recommendations** For versions prior to 2023.07.06, upgrade to version 2023.07.06 or later. For nightly versions prior to 2023.07.06.185519, upgrade to version 2023.07.06.185519 or later. As a temporary workaround, consider avoiding the use of cookies and user authentication methods. Alternatively, avoid using `--load-info-json`. If authentication is necessary, verify the integrity of download links from unknown sources in a browser (including redirects) before passing them to yt-dlp. Use `curl` as an external downloader, since it is not impacted. Avoid fragmented formats such as HLS/m3u8, DASH/mpd, and ISM.