CVE-2023-46121

Name of the Vulnerable Software and Affected Versions yt-dlp versions prior to 2023.11.14

Description The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary URL, allowing the attacker to perform a Man-In-The-Middle (MITM) attack on the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases. The issue arises from the ability to smuggle HTTP headers, including proxy settings, to the Generic extractor through a URL. An attacker can exploit this to set an arbitrary proxy for an arbitrary URL that the Generic extractor will request, potentially allowing them to intercept cookies not marked as secure.

Recommendations For versions prior to 2023.11.14, upgrade to version 2023.11.14 or later to remove the ability to smuggle HTTP headers to the Generic extractor. As a temporary workaround, consider disabling the Generic extractor by using the --ies default,-generic option, or only pass trusted sites with trusted content to minimize the risk of exploitation. Take caution when using the --no-check-certificate option to avoid increasing the vulnerability to MITM attacks.