CVE-2022-24739

Name of the Vulnerable Software and Affected Versions AllTube versions prior to 3.0.3

Description AllTube is an HTML front end for youtube-dl. An attacker could craft a special HTML page to trigger either an open redirect attack or a Server-Side Request Forgery attack, depending on how AllTube is configured. The impact is mitigated by the fact that the SSRF attack is only possible when the stream option is enabled in the configuration, which is disabled by default.

Recommendations For versions prior to 3.0.3, update to version 3.0.3 to fix the vulnerability. Additionally, if using a custom version of youtube-dl, apply the patch to disable its generic extractor to prevent potential vulnerability. If the stream option is enabled, consider disabling it until the issue is resolved.