Name of the Vulnerable Software and Affected Versions yt-dlp versions prior to 2024.07.07

Description The issue arises from yt-dlp's DouyuTV and DouyuShow extractors using a URL from cdn.bootcdn.net as a fallback for fetching a component of the crypto-js JavaScript library. This URL is owned by a bad actor responsible for the Polyfill JS supply chain attack. When the Douyu extractor is used, yt-dlp extracts this JavaScript code and attempts to execute it externally using PhantomJS. For exploitation, three conditions must be met: the user has PhantomJS installed, passes a specific URL to yt-dlp, and cdnjs.cloudflare.com is unavailable or blocked, necessitating the use of the cdn.bootcdn.net fallback.

Recommendations To resolve the issue, upgrade yt-dlp to version 2024.07.07 as soon as possible. For users not able to upgrade, avoid using the Douyu extractors by running yt-dlp with the option --ies default,-douyutv,-douyushow. Uninstall or do not install PhantomJS to minimize the risk of exploitation.