Generic Extractor MITM Vulnerability in yt-dlp
CVE-2023-46121

5MEDIUM

Key Information:

Vendor

Yt-dlp

Status
Yt-dlp
Vendor
CVE Published:
15 November 2023

What is CVE-2023-46121?

yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases. Version 2023.11.14 removed the ability to smuggle http_headers to the Generic extractor, as well as other extractors that use the same pattern. Users are advised to upgrade. Users unable to upgrade should disable the Ggneric extractor (or only pass trusted sites with trusted content) and ake caution when using --no-check-certificate.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

yt-dlp >= 2022.10.04, < 2023.11.14

References

https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/yt-dlp/yt-dlp/commit/f04b5bedad7b281be...
x_refsource_MISC
https://github.com/yt-dlp/yt-dlp/releases/tag/2023.11.14
x_refsource_MISC

CVSS V3.1

Score:
5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.