CVE-2018-6360

Name of the Vulnerable Software and Affected Versions mpv versions prior to 0.28.0

Description The issue allows remote attackers to execute arbitrary code via a crafted web site. This is because mpv reads HTML documents containing VIDEO elements and accepts arbitrary URLs in a src attribute without a protocol whitelist in player/lua/ytdl hook.lua. For example, an URL like av://lavfi:ladspa=file= can signify that the product should call dlopen on a shared object file located at an arbitrary local pathname. The problem exists because the product does not consider that youtube-dl can provide a potentially unsafe URL.

Recommendations For versions prior to 0.28.0, consider disabling the ytdl hook.lua functionality until a patch is available to prevent the execution of arbitrary code. Restrict access to arbitrary URLs in the src attribute to minimize the risk of exploitation. Avoid using URLs that could potentially lead to the execution of arbitrary code, such as those starting with av://lavfi:ladspa=file=, until the issue is resolved.