CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
81.3%
The patch that addressed CVE-2023-40581 attempted to prevent RCE when using --exec
with %q
by replacing double quotes with two double quotes.
However, this escaping is not sufficient, and still allows expansion of environment variables.
Support for output template expansion in --exec
, along with this vulnerable behavior, was added to yt-dlp
in version 2021.04.11.
> yt-dlp "https://youtu.be/42xO6rVqf2E" --ignore-config -f 18 --exec "echo %(title)q"
[youtube] Extracting URL: https://youtu.be/42xO6rVqf2E
[youtube] 42xO6rVqf2E: Downloading webpage
[youtube] 42xO6rVqf2E: Downloading ios player API JSON
[youtube] 42xO6rVqf2E: Downloading android player API JSON
[youtube] 42xO6rVqf2E: Downloading m3u8 information
[info] 42xO6rVqf2E: Downloading 1 format(s): 18
[download] Destination: %CMDCMDLINEοΌ~-1%&echo pwned&calc.exe [42xO6rVqf2E].mp4
[download] 100% of 126.16KiB in 00:00:00 at 2.46MiB/s
[Exec] Executing command: echo "%CMDCMDLINE:~-1%&echo pwned&calc.exe"
""
pwned
yt-dlp version 2024.04.09 fixes this issue by properly escaping %
. It replaces them with %%cd:~,%
, a variable that expands to nothing, leaving only the leading percent.
It is recommended to upgrade yt-dlp to version 2024.04.09 as soon as possible. Also, always be careful when using --exec
, because while this specific vulnerability has been patched, using unvalidated input in shell commands is inherently dangerous.
For Windows users who are not able to upgrade:
--exec
other than {}
(filepath).--exec
is needed, verify the fields you are using do not contain %
, "
, |
or &
.--exec
, write the info json and load the fields from it instead.When escaping variables, the following code is used for Windows.
yt_dlp/compat/__init__.py
line 31-33
def compat_shlex_quote(s):
import re
return s if re.match(r'^[-_\w./]+$', s) else s.replace('"', '""').join('""')
It replaces "
with ""
to balance out the quotes and keep quoting intact if non-allowed characters are included. However, the %CMDCMDLINE%
variable can be used to generate a quote using %CMDCMDLINE:~-1%
; since the value of %CMDCMDLINE%
is the commandline with which cmd.exe
was called, and it is always called with the command surrounded by quotes, %CMDCMDLINE:~-1%
expands to "
. After the quotes have been unbalanced, special characters are no longer quoted and commands can be executed:
%CMDCMDLINE:~-1%&calc.exe
Vendor | Product | Version | CPE |
---|---|---|---|
yt-dlp_project | yt-dlp | * | cpe:2.3:a:yt-dlp_project:yt-dlp:*:*:*:*:nightly:*:*:* |
github.com/advisories/GHSA-hjq6-52gw-2g7p
github.com/yt-dlp/yt-dlp/commit/de015e930747165dbb8fcd360f8775fd973b7d6e
github.com/yt-dlp/yt-dlp/commit/ff07792676f404ffff6ee61b5638c9dc1a33a37a
github.com/yt-dlp/yt-dlp/releases/tag/2021.04.11
github.com/yt-dlp/yt-dlp/releases/tag/2024.04.09
github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg
github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p
nvd.nist.gov/vuln/detail/CVE-2024-22423
www.kb.cert.org/vuls/id/123335
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
81.3%