Pukkandan

**Name of the Vulnerable Software and Affected Versions** yt-dlp versions prior to 2024.07.01 youtube-dl versions prior to 2024-07-03 **Description** The issue concerns command-line audio/video downloaders `yt-dlp` and `youtube-dl`. Prior to the fixed versions, these tools do not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder and path traversal on Windows. Since `yt-dlp` and `youtube-dl` also read config from the working directory, this could lead to arbitrary code being executed. To mitigate this, users should have `.%(ext)s` at the end of the output template, trust the websites they download from, and avoid downloading to sensitive locations. **Recommendations** For `yt-dlp` versions prior to 2024.07.01, upgrade to version 2024.07.01 or later. For `youtube-dl` versions prior to 2024-07-03, update to a nightly build tagged 2024-07-03 or later. For users who cannot upgrade, keep the default output template, ensure the media extension is common, avoid the generic extractor, and use `--ignore-config --config-location ...` to not load config from common locations.