CVE-2024-38519

Advisory

Affected versions of yt-dlp and youtube-dl, command-line audio/video downloaders, are vulnerable to arbitrary file creation due to not limiting downloaded file extensions. This vulnerability could lead to path traversal on Windows, where arbitrary filenames can be created in the download folder. Additionally, yt-dlp and youtube-dl read config files from the working directory, which, on Windows, could result in the execution of arbitrary code if executables are run from the yt-dlp or youtube-dl directory. Users should whitelist allowed extensions and avoid downloading to sensitive locations. As a mitigation, use the default output template and ensure the downloaded media's extension is common. Avoid using the generic extractor and use --ignore-config --config-location to specify a safe config location.
# This only affects Windows users

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/yt-dlp/yt-dlp/commit/5ce582448ececb8d9c30c8c31f58330090ced03a
• https://github.com/advisories/GHSA-79w7-vh3h-8g4j
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38519