Vulnerability Database

289,599

Total vulnerabilities in the database

youtube-dl vulnerable to file system modification and RCE through improper file-extension sanitization

Description

This advisory follows the security advisory GHSA-79w7-vh3h-8g4j published by the yt-dlp/yt-dlp project to aid remediation of the issue in the ytdl-org/youtube-dl project.

Vulnerability

youtube-dl does not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows).

Impact

Since youtube-dl also reads config from the working directory (and, on Windows, executables will be executed from the youtube-dl directory by default) the vulnerability could allow the unwanted execution of local code, including downloads masquerading as, eg, subtitles.

Patches

The versions of youtube-dl listed as Patched remediate this vulnerability by disallowing path separators and whitelisting allowed extensions. As a result, some very uncommon extensions might not get downloaded.

Workarounds

Any/all of the below considerations may limit exposure in case it is necessary to use a vulnerable version

  • have .%(ext)s at the end of the output template
  • download from websites that you trust
  • do not download to a directory within the executable search PATH or other sensitive locations, such as your user directory or system directories
  • in Windows versions that support it, set NoDefaultCurrentDirectoryInExePath to prevent the cmd shell's executable search adding the default directory before PATH
  • consider that the path traversal vulnerability as a result of resolving non_existent_dir\..\..\target does not exist in Linux or macOS
  • ensure the extension of the media to download is a common video/audio/... one (use --get-filename)
  • omit any of the subtitle options (--write-subs/ --write-srt, --write-auto-subs/--write-automatic-subs, --all-subs).

References

CVSS v3:

  • Severity: Unknown
  • Score:
  • AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H