Headline
GHSA-22fp-mf44-f2mq: youtube-dl vulnerable to file system modification and RCE through improper file-extension sanitization
Description
This advisory follows the security advisory GHSA-79w7-vh3h-8g4j published by the yt-dlp/yt-dlp project to aid remediation of the issue in the ytdl-org/youtube-dl project.
Vulnerability
youtube-dl does not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows).
Impact
Since youtube-dl also reads config from the working directory (and, on Windows, executables will be executed from the youtube-dl directory by default) the vulnerability could allow the unwanted execution of local code, including downloads masquerading as, eg, subtitles.
Patches
The versions of youtube-dl listed as Patched remediate this vulnerability by disallowing path separators and whitelisting allowed extensions. As a result, some very uncommon extensions might not get downloaded.
Workarounds
Any/all of the below considerations may limit exposure in case it is necessary to use a vulnerable version
- have
.%(ext)sat the end of the output template - download from websites that you trust
- do not download to a directory within the executable search
PATHor other sensitive locations, such as your user directory or system directories - in Windows versions that support it, set
NoDefaultCurrentDirectoryInExePathto prevent the cmd shell’s executable search adding the default directory beforePATH - consider that the path traversal vulnerability as a result of resolving
non_existent_dir\..\..\targetdoes not exist in Linux or macOS - ensure the extension of the media to download is a common video/audio/… one (use
--get-filename) - omit any of the subtitle options (
--write-subs/--write-srt,--write-auto-subs/--write-automatic-subs,--all-subs).
References
- GHSA-79w7-vh3h-8g4j
- https://github.com/ytdl-org/youtube-dl/pull/32830
Description
This advisory follows the security advisory GHSA-79w7-vh3h-8g4j published by the yt-dlp/yt-dlp project to aid remediation of the issue in the ytdl-org/youtube-dl project.
Vulnerability
youtube-dl does not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows).
Impact
Since youtube-dl also reads config from the working directory (and, on Windows, executables will be executed from the youtube-dl directory by default) the vulnerability could allow the unwanted execution of local code, including downloads masquerading as, eg, subtitles.
Patches
The versions of youtube-dl listed as Patched remediate this vulnerability by disallowing path separators and whitelisting allowed extensions. As a result, some very uncommon extensions might not get downloaded.
Workarounds
Any/all of the below considerations may limit exposure in case it is necessary to use a vulnerable version
- have .%(ext)s at the end of the output template
- download from websites that you trust
- do not download to a directory within the executable search PATH or other sensitive locations, such as your user directory or system directories
- in Windows versions that support it, set NoDefaultCurrentDirectoryInExePath to prevent the cmd shell’s executable search adding the default directory before PATH
- consider that the path traversal vulnerability as a result of resolving non_existent_dir…\target does not exist in Linux or macOS
- ensure the extension of the media to download is a common video/audio/… one (use --get-filename)
- omit any of the subtitle options (–write-subs/ --write-srt, --write-auto-subs/–write-automatic-subs, --all-subs).
References
- GHSA-79w7-vh3h-8g4j
- ytdl-org/youtube-dl#32830
References
- GHSA-22fp-mf44-f2mq
- GHSA-79w7-vh3h-8g4j
- https://nvd.nist.gov/vuln/detail/CVE-2024-38519
- ytdl-org/youtube-dl#32830
- ytdl-org/youtube-dl@d42a222
- https://securitylab.github.com/advisories/GHSL-2024-089_youtube-dl