CVE-2024-22423

Name of the Vulnerable Software and Affected Versions yt-dlp versions 2021.04.11 through 2024.04.08 process versions prior to 1.6.19.0

Description The issue exists due to insufficient escaping of special characters, allowing for remote code execution when using the --exec flag with output template expansion. This vulnerability is present in yt-dlp on Windows and can be exploited when --exec is used directly with maliciously crafted remote data. The estimated number of potentially affected devices is not specified.

Technical details about exploitation include:

Recommendations For yt-dlp versions 2021.04.11 through 2024.04.08, upgrade to version 2024.04.09 as soon as possible. For Windows users who are not able to upgrade, avoid using any output template expansion in --exec other than {} (filepath); if expansion in --exec is needed, verify the fields you are using do not contain ", | or &; and/or instead of using --exec, write the info json and load the fields from it instead. For process versions prior to 1.6.19.0, update to version 1.6.19.0 or later to fix the command injection vulnerability.