yt-dlp and youtube-dl vulnerable to file system modification and RCE through improper file-extension sanitization
CVE-2024-38519

7.8HIGH

Key Information:

Vendor

Yt-dlp

Status
Yt-dlp
Youtube-dl
Vendor
CVE Published:
2 July 2024

What is CVE-2024-38519?

Command-line audio/video downloaders, yt-dlp and youtube-dl, are exposed to a vulnerability that permits the creation of arbitrary filenames in the download folder without imposing limits on file extensions. This flaw may also lead to path traversal attacks on Windows systems and the potential execution of malicious code as both tools read configuration files from the working directory. The recent releases of yt-dlp version 2024.07.01 and updates to youtube-dl address this issue through the implementation of a whitelist for acceptable file extensions, thereby reducing the risk of exploitation. Users are advised to upgrade their tools and follow best practices, such as using appropriate output templates and avoiding vulnerable directories for downloads.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

youtube-dl >= 2015.01.25 <= 2021.12.17

youtube-dl nightly < 2024-07-03

yt-dlp < 2024.07.01 < 2024.07.01

References

https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/yt-dlp/yt-dlp/commit/5ce582448ececb8d9...
x_refsource_MISC
https://github.com/yt-dlp/yt-dlp/releases/tag/2024.07.01
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

JSON
.