Remote Code Execution Risk in yt-dlp due to Insufficient Input Validation
CVE-2024-22423

8.4HIGH

Key Information:

Vendor

Yt-dlp

Status
Yt-dlp
Vendor
CVE Published:
9 April 2024

What is CVE-2024-22423?

The yt-dlp project, a popular fork of youtube-dl, has a vulnerability that can lead to remote code execution due to improper handling of input within the '--exec' command. This issue arises from an insufficient escaping mechanism introduced in a previous patch, which was intended to mitigate risks associated with code execution through unvalidated command template expansions. In version 2021.04.11, the escaping of double quotes was deemed inadequate, still allowing for the execution of arbitrary commands through environment variable expansion. The vulnerability has been addressed in version 2024.04.09, where a more secure escaping method replaces vulnerable patterns. Users are strongly advised to upgrade to the latest version immediately and exercise caution when utilizing the '--exec' feature, especially with untrusted input.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

yt-dlp >= 2021.04.11, < 2024.04.09

References

https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA...
x_refsource_MISC
https://github.com/yt-dlp/yt-dlp/commit/de015e930747165db...
x_refsource_MISC

CVSS V3.1

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.