Grub4K

**Name of the Vulnerable Software and Affected Versions** yt-dlp versions 2021.04.11 through 2023.09.23 **Description** The issue arises from the improper escaping of special characters in shell commands executed through the `--exec` flag, allowing for remote code execution if used with maliciously crafted remote data. This vulnerability only impacts yt-dlp on Windows and is present regardless of whether yt-dlp is run from cmd or PowerShell. The estimated number of potentially affected devices is not specified. The `--exec` flag allows output template expansion in its argument, enabling metadata values to be used in shell commands. However, the escaping used for `cmd` (the shell used by Python's `subprocess` on Windows) does not properly escape special characters. The metadata fields can be combined with the `%q` conversion, which is intended to quote/escape these values so they can be safely passed to the shell. **Recommendations** To resolve the issue for each affected version, follow these steps: - Upgrade yt-dlp to version 2023.09.24 as soon as possible. - Avoid using any output template expansion in `--exec` other than {} (filepath). - If expansion in `--exec` is needed, verify the fields you are using do not contain `, |` or `&`. - Instead of using `--exec`, write the info json and load the fields from it instead.