CVE-2024-38519

Name of the Vulnerable Software and Affected Versions yt-dlp versions prior to 2024.07.01 youtube-dl versions prior to 2024-07-03

Description The issue concerns command-line audio/video downloaders yt-dlp and youtube-dl. Prior to the fixed versions, these tools do not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder and path traversal on Windows. Since yt-dlp and youtube-dl also read config from the working directory, this could lead to arbitrary code being executed. To mitigate this, users should have .%(ext)s at the end of the output template, trust the websites they download from, and avoid downloading to sensitive locations.

Recommendations For yt-dlp versions prior to 2024.07.01, upgrade to version 2024.07.01 or later. For youtube-dl versions prior to 2024-07-03, update to a nightly build tagged 2024-07-03 or later. For users who cannot upgrade, keep the default output template, ensure the media extension is common, avoid the generic extractor, and use --ignore-config --config-location ... to not load config from common locations.