8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
0.001 Low
EPSS
Percentile
47.8%
During file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest’s host.
This vulnerable behavior is present in all versions of youtube-dl, youtube-dlc and yt-dlp released since 2015.01.25. All native and external downloaders are affected, except for curl
and httpie
(httpie version 3.1.0 or later).
At the file download stage, all cookies are passed by yt-dlp to the file downloader as a Cookie
header, thereby losing their scope. This also occurs in yt-dlp’s info JSON output, which may be used by external tools. As a result, the downloader or external tool may indiscriminately send cookies with requests to domains or paths for which the cookies are not scoped.
An example of a potential attack scenario exploiting this vulnerability:
Cookie
header based on its domain for the file downloader to make its request(s) with.yt-dlp version 2023.07.06 fixes this issue by doing the following:
Cookie
header upon HTTP redirectsCookie
header from the cookiejaraxel
only)--add-header "Cookie:..."
is scoped to input URL domain only)cookies
field of the info dict instead of http_headers
so as not to lose their scopePatches for youtube-dl are expected and we will update this advisory when they are merged.
It is recommended to upgrade yt-dlp to version 2023.07.06 as soon as possible.
For users who are not able to upgrade:
--cookies
, --cookies-from-browser
, --username
, --password
, --netrc
). While extractors may set custom cookies, these usually do not contain sensitive information.--load-info-json
Or, if authentication is a must:
curl
as external downloader, since it is not impacted (--downloader curl
)-f "(bv*+ba/b)[protocol~='^https?$']"
)github.com/advisories/GHSA-v8mc-9377-rwjj
github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.07.06.185519
github.com/yt-dlp/yt-dlp/commit/1ceb657bdd254ad961489e5060f2ccc7d556b729
github.com/yt-dlp/yt-dlp/commit/3121512228487c9c690d3d39bfd2579addf96e07
github.com/yt-dlp/yt-dlp/commit/f8b4bcc0a791274223723488bfbfc23ea3276641
github.com/yt-dlp/yt-dlp/releases/tag/2023.07.06
github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj
lists.fedoraproject.org/archives/list/[email protected]/message/5X6YT6AQE5FHM5VTQLKKJXSYBLLJF26W/
lists.fedoraproject.org/archives/list/[email protected]/message/HEOKCGVONGHR2SYUIXU33A4MKXZBDP6L/
lists.fedoraproject.org/archives/list/[email protected]/message/IM44RJL2MR2WG3ZY354C5IUEEZUJGEVA/
lists.fedoraproject.org/archives/list/[email protected]/message/M7E7CQ5S5KMZHAMCNU7V7KYNBVCPLBHG/
nvd.nist.gov/vuln/detail/CVE-2023-35934