CVE - CVE-2024-22423

CVE-ID
CVE-2024-22423	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
yt-dlp is a youtube-dl fork with additional features and fixes. The patch that addressed CVE-2023-40581 attempted to prevent RCE when using `--exec` with `%q` by replacing double quotes with two double quotes. However, this escaping is not sufficient, and still allows expansion of environment variables. Support for output template expansion in `--exec`, along with this vulnerable behavior, was added to `yt-dlp` in version 2021.04.11. yt-dlp version 2024.04.09 fixes this issue by properly escaping `%`. It replaces them with `%%cd:~,%`, a variable that expands to nothing, leaving only the leading percent. It is recommended to upgrade yt-dlp to version 2024.04.09 as soon as possible. Also, always be careful when using `--exec`, because while this specific vulnerability has been patched, using unvalidated input in shell commands is inherently dangerous. For Windows users who are not able to upgrade, avoid using any output template expansion in `--exec` other than `{}` (filepath); if expansion in `--exec` is needed, verify the fields you are using do not contain `"`, `\|` or `&`; and/or instead of using `--exec`, write the info json and load the fields from it instead.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CERT-VN:VU#123335 URL:https://www.kb.cert.org/vuls/id/123335 MISC:https://github.com/yt-dlp/yt-dlp/commit/de015e930747165dbb8fcd360f8775fd973b7d6e URL:https://github.com/yt-dlp/yt-dlp/commit/de015e930747165dbb8fcd360f8775fd973b7d6e MISC:https://github.com/yt-dlp/yt-dlp/commit/ff07792676f404ffff6ee61b5638c9dc1a33a37a URL:https://github.com/yt-dlp/yt-dlp/commit/ff07792676f404ffff6ee61b5638c9dc1a33a37a MISC:https://github.com/yt-dlp/yt-dlp/releases/tag/2021.04.11 URL:https://github.com/yt-dlp/yt-dlp/releases/tag/2021.04.11 MISC:https://github.com/yt-dlp/yt-dlp/releases/tag/2024.04.09 URL:https://github.com/yt-dlp/yt-dlp/releases/tag/2024.04.09 MISC:https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg URL:https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg MISC:https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p URL:https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20240110	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20240110)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)