logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-22fp-mf44-f2mq youtube-dl

Package

Manager: pip
Name: youtube-dl
Vulnerable Version: >=2015.01.25 <=2021.12.17

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

youtube-dl vulnerable to file system modification and RCE through improper file-extension sanitization #### Description This advisory follows the security advisory [GHSA-79w7-vh3h-8g4j published by the _yt-dlp/yt-dlp_ project](https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j) to aid remediation of the issue in the _ytdl-org/youtube-dl_ project. ### Vulnerability _youtube-dl_ does not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows). ### Impact Since _youtube-dl_ also reads config from the working directory (and, on Windows, executables will be executed from the _youtube-dl_ directory by default) the vulnerability could allow the unwanted execution of local code, including downloads masquerading as, eg, subtitles. ### Patches The versions of _youtube-dl_ listed as _Patched_ remediate this vulnerability by disallowing path separators and whitelisting allowed extensions. As a result, some very uncommon extensions might not get downloaded. **Master code d42a222 or later and nightly builds tagged 2024-07-03 or later** contain the remediation. ### Workarounds Any/all of the below considerations may limit exposure in case it is necessary to use a vulnerable version * have `.%(ext)s` at the end of the output template * download from websites that you trust * do not download to a directory within the executable search `PATH` or other sensitive locations, such as your user directory or system directories * in Windows versions that support it, set [`NoDefaultCurrentDirectoryInExePath`](https://stackoverflow.com/a/50118548) to prevent the _cmd_ shell's executable search adding the default directory before `PATH` * consider that the path traversal vulnerability as a result of resolving `non_existent_dir\..\..\target` does not exist in Linux or macOS * ensure the extension of the media to download is a common video/audio/... one (use `--get-filename`) * omit any of the subtitle options (`--write-subs`/` --write-srt`, `--write-auto-subs`/`--write-automatic-subs`, `--all-subs`). ### References * [GHSA-79w7-vh3h-8g4j](https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j) * https://github.com/ytdl-org/youtube-dl/pull/32830

Metadata

Created: 2025-04-18T20:24:07Z
Modified: 2025-05-27T19:56:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-22fp-mf44-f2mq/GHSA-22fp-mf44-f2mq.json
CWE IDs: ["CWE-434", "CWE-669"]
Alternative ID: N/A
Finding: F027
Auto approve: 1