Total vulnerabilities in the database
This advisory follows the security advisory GHSA-79w7-vh3h-8g4j published by the yt-dlp/yt-dlp project to aid remediation of the issue in the ytdl-org/youtube-dl project.
youtube-dl does not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows).
Since youtube-dl also reads config from the working directory (and, on Windows, executables will be executed from the youtube-dl directory by default) the vulnerability could allow the unwanted execution of local code, including downloads masquerading as, eg, subtitles.
The versions of youtube-dl listed as Patched remediate this vulnerability by disallowing path separators and whitelisting allowed extensions. As a result, some very uncommon extensions might not get downloaded.
Any/all of the below considerations may limit exposure in case it is necessary to use a vulnerable version
.%(ext)s
at the end of the output templatePATH
or other sensitive locations, such as your user directory or system directoriesNoDefaultCurrentDirectoryInExePath
to prevent the cmd shell's executable search adding the default directory before PATH
non_existent_dir\..\..\target
does not exist in Linux or macOS--get-filename
)--write-subs
/ --write-srt
, --write-auto-subs
/--write-automatic-subs
, --all-subs
).Software | From | Fixed in |
---|---|---|
![]() |
2015.01.25 | 2021.12.17.x |