CVE-2023-40581

Name of the Vulnerable Software and Affected Versions yt-dlp versions 2021.04.11 through 2023.09.23

Description The issue arises from the improper escaping of special characters in shell commands executed through the --exec flag, allowing for remote code execution if used with maliciously crafted remote data. This vulnerability only impacts yt-dlp on Windows and is present regardless of whether yt-dlp is run from cmd or PowerShell. The estimated number of potentially affected devices is not specified.

The --exec flag allows output template expansion in its argument, enabling metadata values to be used in shell commands. However, the escaping used for cmd (the shell used by Python's subprocess on Windows) does not properly escape special characters. The metadata fields can be combined with the %q conversion, which is intended to quote/escape these values so they can be safely passed to the shell.

Recommendations To resolve the issue for each affected version, follow these steps: