Description

This advisory follows the security advisory GHSA-79w7-vh3h-8g4j published by the yt-dlp/yt-dlp project to aid remediation of the issue in the ytdl-org/youtube-dl project.

Vulnerability

youtube-dl does not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows).

Impact

Since youtube-dl also reads config from the working directory (and, on Windows, executables will be executed from the youtube-dl directory by default) the vulnerability could allow the unwanted execution of local code, including downloads masquerading as, eg, subtitles.

Patches

The versions of youtube-dl listed as Patched remediate this vulnerability by disallowing path separators and whitelisting allowed extensions. As a result, some very uncommon extensions might not get downloaded.

Workarounds

Any/all of the below considerations may limit exposure in case it is necessary to use a vulnerable version

• have .%(ext)s at the end of the output template
• download from websites that you trust
• do not download to a directory within the executable search PATH or other sensitive locations, such as your user directory or system directories
• in Windows versions that support it, set NoDefaultCurrentDirectoryInExePath to prevent the cmd shell's executable search adding the default directory before PATH
• consider that the path traversal vulnerability as a result of resolving non_existent_dir\..\..\target does not exist in Linux or macOS
• ensure the extension of the media to download is a common video/audio/... one (use --get-filename)
• omit any of the subtitle options (--write-subs/ --write-srt, --write-auto-subs/--write-automatic-subs, --all-subs).

References

• GHSA-79w7-vh3h-8g4j
• ytdl-org#32830