CVE-2024-38519

`yt-dlp` and `youtube-dl` are command-line audio/video downloaders. Prior to the fixed versions, `yt-dlp` and `youtube-dl` do not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows). Since `yt-dlp` and `youtube-dl` also read config from the working directory (and on Windows executables will be executed from the `yt-dlp` or `youtube-dl` directory), this could lead to arbitrary code being executed. `yt-dlp` version 2024.07.01 fixes this issue by whitelisting the allowed extensions. `youtube-dl` fixes this issue in commit `d42a222` on the `master` branch and in nightly builds tagged 2024-07-03 or later. This might mean some very uncommon extensions might not get downloaded, however it will also limit the possible exploitation surface. In addition to upgrading, have `.%(ext)s` at the end of the output template and make sure the user trusts the websites that they are downloading from. Also, make sure to never download to a directory within PATH or other sensitive locations like one's user directory, `system32`, or other binaries locations. For users who are not able to upgrade, keep the default output template (`-o "%(title)s [%(id)s].%(ext)s`); make sure the extension of the media to download is a common video/audio/sub/... one; try to avoid the generic extractor; and/or use `--ignore-config --config-location ...` to not load config from common locations.

`yt-dlp` and `youtube-dl` are command-line audio/video downloaders. Prior to the fixed versions, `yt-dlp` and `youtube-dl` do not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows). Since `yt-dlp` and `youtube-dl` also read config from the working directory (and on Windows executables will be executed from the `yt-dlp` or `youtube-dl` directory), this could lead to arbitrary code being executed. `yt-dlp` version 2024.07.01 fixes this issue by whitelisting the allowed extensions. `youtube-dl` fixes this issue in commit `d42a222` on the `master` branch and in nightly builds tagged 2024-07-03 or later. This might mean some very uncommon extensions might not get downloaded, however it will also limit the possible exploitation surface. In addition to upgrading, have `.%(ext)s` at the end of the output template and make sure the user trusts the websites that they are downloading from. Also, make sure to never download to a directory within PATH or other sensitive locations like one's user directory, `system32`, or other binaries locations. For users who are not able to upgrade, keep the default output template (`-o "%(title)s [%(id)s].%(ext)s`); make sure the extension of the media to download is a common video/audio/sub/... one; try to avoid the generic extractor; and/or use `--ignore-config --config-location ...` to not load config from common locations.

### Summary `yt-dlp` does not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows). Since `yt-dlp` also reads config from the working directory (and on Windows executables will be executed from the yt-dlp directory) this could lead to arbitrary code being executed. ### Patches `yt-dlp` version 2024.07.01 fixes this issue by whitelisting the allowed extensions. This means some very uncommon extensions might not get downloaded; however, it will also limit the possible exploitation surface. ### Workarounds It is recommended to upgrade yt-dlp to version 2024.07.01 as soon as possible, **always** have `.%(ext)s` at the end of the output template, and make sure you trust the websites that you are downloading from. Also, make sure to never download to a directory within PATH or other sensitive locations like your user directory, `system32`, or other binaries locations. For users not able to upgrade: - Make sure the extension of the media to download is a common video/audio/sub/... one - Try to avoid the generic extractor (`--ies default,-generic`) - Keep the default output template (`-o "%(title)s [%(id)s].%(ext)s`) - Omit any of the subtitle options (`--write-subs`, `--write-auto-subs`, `--all-subs`, `--write-srt`) - Use `--ignore-config --config-location ...` to not load config from common locations ### Details One potential exploitation might look like this: From a mimetype we do not know, we default to trimming the leading bit and using the remainder. Given a webpage that contains ```html <script type="application/ld+json"> { "@context": "https://schema.org", "@type": "VideoObject", "name": "ffmpeg", "encodingFormat": "video/exe", "contentUrl": "https://example.com/video.mp4" } </script> ``` this will try and download a file called `ffmpeg.exe` (`-o "%(title)s.%(ext)s`). `ffmpeg.exe` will be searched for in the current directory, and so upon the next run arbitrary code can be executed. Alternatively, when engineering a file called `yt-dlp.conf` to be created, the config file could contain `--exec ...` and so would also execute arbitrary code. ### Acknowledgement A big thanks to @JarLob for independently finding a new application of the same underlying issue. More can be read about on the dedicated GitHub Security Lab disclosure here: [Path traversal saving subtitles (GHSL-2024-090)](<https://securitylab.github.com/advisories/GHSL-2024-090_yt-dlp>) ### References - https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j - https://nvd.nist.gov/vuln/detail/CVE-2024-38519 - https://github.com/yt-dlp/yt-dlp/releases/tag/2024.07.01 - https://github.com/yt-dlp/yt-dlp/commit/5ce582448ececb8d9c30c8c31f58330090ced03a - https://securitylab.github.com/advisories/GHSL-2024-090_yt-dlp

### Summary `yt-dlp` does not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows). Since `yt-dlp` also reads config from the working directory (and on Windows executables will be executed from the yt-dlp directory) this could lead to arbitrary code being executed. ### Patches `yt-dlp` version 2024.07.01 fixes this issue by whitelisting the allowed extensions. This means some very uncommon extensions might not get downloaded; however, it will also limit the possible exploitation surface. ### Workarounds It is recommended to upgrade yt-dlp to version 2024.07.01 as soon as possible, **always** have `.%(ext)s` at the end of the output template, and make sure you trust the websites that you are downloading from. Also, make sure to never download to a directory within PATH or other sensitive locations like your user directory, `system32`, or other binaries locations. For users not able to upgrade: - Make sure the extension of the media to download is a common video/audio/sub/... one - Try to avoid the generic extractor (`--ies default,-generic`) - Keep the default output template (`-o "%(title)s [%(id)s].%(ext)s`) - Omit any of the subtitle options (`--write-subs`, `--write-auto-subs`, `--all-subs`, `--write-srt`) - Use `--ignore-config --config-location ...` to not load config from common locations ### Details One potential exploitation might look like this: From a mimetype we do not know, we default to trimming the leading bit and using the remainder. Given a webpage that contains ```html <script type="application/ld+json"> { "@context": "https://schema.org", "@type": "VideoObject", "name": "ffmpeg", "encodingFormat": "video/exe", "contentUrl": "https://example.com/video.mp4" } </script> ``` this will try and download a file called `ffmpeg.exe` (`-o "%(title)s.%(ext)s`). `ffmpeg.exe` will be searched for in the current directory, and so upon the next run arbitrary code can be executed. Alternatively, when engineering a file called `yt-dlp.conf` to be created, the config file could contain `--exec ...` and so would also execute arbitrary code. ### Acknowledgement A big thanks to @JarLob for independently finding a new application of the same underlying issue. More can be read about on the dedicated GitHub Security Lab disclosure here: [Path traversal saving subtitles (GHSL-2024-090)](<https://securitylab.github.com/advisories/GHSL-2024-090_yt-dlp>) ### References - https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j - https://nvd.nist.gov/vuln/detail/CVE-2024-38519 - https://github.com/yt-dlp/yt-dlp/releases/tag/2024.07.01 - https://github.com/yt-dlp/yt-dlp/commit/5ce582448ececb8d9c30c8c31f58330090ced03a - https://securitylab.github.com/advisories/GHSL-2024-090_yt-dlp

`yt-dlp` es un descargador de audio/vídeo de línea de comandos. Antes de la versión 2024.07.01, `yt-dlp` no limita las extensiones de los archivos descargados, lo que podría provocar la creación de nombres de archivos arbitrarios en la carpeta de descarga (y el path traversal en Windows). Dado que `yt-dlp` también lee la configuración del directorio de trabajo (y en Windows los ejecutables se ejecutarán desde el directorio yt-dlp), esto podría provocar la ejecución de código arbitrario. La versión 2024.07.01 de `yt-dlp` soluciona este problema al incluir en la lista blanca las extensiones permitidas. Esto podría significar que algunas extensiones muy poco comunes podrían no descargarse, sin embargo, también limitará la posible superficie de explotación. Además de actualizar, coloque `.%(ext)s` al final de la plantilla de salida y asegúrese de que el usuario confíe en los sitios web desde los que realiza la descarga. Además, asegúrese de nunca descargar a un directorio dentro de PATH u otras ubicaciones confidenciales como el directorio de usuario, `system32` u otras ubicaciones de archivos binarios. Para los usuarios que no pueden actualizar, mantenga la plantilla de salida predeterminada (`-o "%(title)s [%(id)s].%(ext)s`); asegúrese de que la extensión del medio a descargar sea uno común de video/audio/sub/... trate de evitar el extractor genérico y/o use `--ignore-config --config-location...` para no cargar la configuración desde ubicaciones comunes.