CVE-2023-35934

Name of the Vulnerable Software and Affected Versions yt-dlp versions prior to 2023.07.06 yt-dlp nightly versions prior to 2023.07.06.185519

Description During file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest's host. This occurs because all cookies are passed by yt-dlp to the file downloader as a Cookie header, losing their scope. The issue is present in all native and external downloaders, except for curl and httpie (version 3.1.0 or later). As a result, the downloader or external tool may indiscriminately send cookies with requests to domains or paths for which the cookies are not scoped.

Recommendations For versions prior to 2023.07.06, upgrade to version 2023.07.06 or later. For nightly versions prior to 2023.07.06.185519, upgrade to version 2023.07.06.185519 or later. As a temporary workaround, consider avoiding the use of cookies and user authentication methods. Alternatively, avoid using --load-info-json. If authentication is necessary, verify the integrity of download links from unknown sources in a browser (including redirects) before passing them to yt-dlp. Use curl as an external downloader, since it is not impacted. Avoid fragmented formats such as HLS/m3u8, DASH/mpd, and ISM.