GHSA-22fp-mf44-f2mq

Suggest an improvement
Source
https://github.com/advisories/GHSA-22fp-mf44-f2mq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-22fp-mf44-f2mq/GHSA-22fp-mf44-f2mq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-22fp-mf44-f2mq
Related
Published
2025-04-18T20:24:07Z
Modified
2025-05-27T20:14:02.069098Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
youtube-dl vulnerable to file system modification and RCE through improper file-extension sanitization
Details

Description

This advisory follows the security advisory GHSA-79w7-vh3h-8g4j published by the yt-dlp/yt-dlp project to aid remediation of the issue in the ytdl-org/youtube-dl project.

Vulnerability

youtube-dl does not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows).

Impact

Since youtube-dl also reads config from the working directory (and, on Windows, executables will be executed from the youtube-dl directory by default) the vulnerability could allow the unwanted execution of local code, including downloads masquerading as, eg, subtitles.

Patches

The versions of youtube-dl listed as Patched remediate this vulnerability by disallowing path separators and whitelisting allowed extensions. As a result, some very uncommon extensions might not get downloaded.

Master code d42a222 or later and nightly builds tagged 2024-07-03 or later contain the remediation.

Workarounds

Any/all of the below considerations may limit exposure in case it is necessary to use a vulnerable version * have .%(ext)s at the end of the output template * download from websites that you trust * do not download to a directory within the executable search PATH or other sensitive locations, such as your user directory or system directories * in Windows versions that support it, set <code>NoDefaultCurrentDirectoryInExePath</code> to prevent the cmd shell's executable search adding the default directory before PATH * consider that the path traversal vulnerability as a result of resolving non_existent_dir\..\..\target does not exist in Linux or macOS * ensure the extension of the media to download is a common video/audio/... one (use --get-filename) * omit any of the subtitle options (--write-subs/--write-srt, --write-auto-subs/--write-automatic-subs, --all-subs).

References

Database specific 
{
    "github_reviewed": true,
    "nvd_published_at": null,
    "github_reviewed_at": "2025-04-18T20:24:07Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-434",
        "CWE-669"
    ]
}
References

Affected packages

PyPI / youtube-dl

Package

Name
youtube-dl
View open source insights on deps.dev
Purl
pkg:pypi/youtube-dl

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2015.01.25
Last affected
2021.12.17

Affected versions

2015.*

2015.01.25
2015.01.30.1
2015.01.30.2
2015.02.02
2015.02.02.2
2015.02.02.4
2015.02.02.5
2015.02.03
2015.02.03.1
2015.02.04
2015.02.06
2015.02.09
2015.02.09.1
2015.02.09.2
2015.02.09.3
2015.02.10
2015.02.10.1
2015.02.10.2
2015.02.10.3
2015.02.10.4
2015.02.10.5
2015.02.11
2015.02.16
2015.02.16.1
2015.02.17
2015.02.17.2
2015.02.18
2015.02.18.1
2015.02.19
2015.02.19.1
2015.02.19.2
2015.02.19.3
2015.02.20
2015.02.21
2015.02.23
2015.02.23.1
2015.02.24
2015.02.24.1
2015.02.24.2
2015.02.26
2015.02.26.1
2015.02.26.2
2015.02.28
2015.03.03
2015.03.03.1
2015.03.09
2015.03.15
2015.03.18
2015.03.24
2015.03.28
2015.04.03
2015.04.09
2015.04.17
2015.04.26
2015.05.03
2015.05.04
2015.05.10
2015.05.15
2015.05.20
2015.06.15
2015.06.25
2015.07.04
2015.07.07
2015.07.18
2015.07.21
2015.07.28
2015.08.06.1
2015.08.09
2015.08.16
2015.08.16.1
2015.08.23
2015.08.28
2015.09.03
2015.09.09
2015.09.22
2015.09.28
2015.10.06
2015.10.06.1
2015.10.06.2
2015.10.09
2015.10.12
2015.10.13
2015.10.16
2015.10.18
2015.10.23
2015.10.24
2015.11.01
2015.11.02
2015.11.10
2015.11.13
2015.11.15
2015.11.18
2015.11.19
2015.11.21
2015.11.23
2015.11.24
2015.11.27.1
2015.12.05
2015.12.06
2015.12.09
2015.12.10
2015.12.13
2015.12.18
2015.12.21
2015.12.23
2015.12.29
2015.12.31

2016.*

2016.01.01
2016.01.09
2016.01.14
2016.01.15
2016.01.23
2016.01.27
2016.01.29
2016.01.31
2016.02.01
2016.02.04
2016.02.05
2016.02.05.1
2016.02.09
2016.02.09.1
2016.02.10
2016.02.13
2016.02.22
2016.02.27
2016.03.01
2016.03.06
2016.03.14
2016.03.18
2016.03.25
2016.03.26
2016.03.27
2016.04.01
2016.04.05
2016.04.06
2016.04.13
2016.04.19
2016.04.24
2016.05.01
2016.05.10
2016.05.16
2016.5.21.2
2016.5.30.2
2016.6.3
2016.6.11
2016.6.11.1
2016.6.11.3
2016.6.12
2016.6.14
2016.6.16
2016.6.18.1
2016.6.19
2016.6.19.1
2016.6.20
2016.6.22
2016.6.23
2016.6.23.1
2016.6.25
2016.6.26
2016.6.27
2016.7.1
2016.7.2
2016.7.3
2016.7.3.1
2016.7.5
2016.7.6
2016.7.7
2016.7.9
2016.7.9.1
2016.7.9.2
2016.7.11
2016.7.13
2016.7.16
2016.7.17
2016.7.22
2016.7.24
2016.7.26.2
2016.7.28
2016.7.30
2016.8.1
2016.8.6
2016.8.7
2016.8.10
2016.8.12
2016.8.13
2016.8.17
2016.8.19
2016.8.22
2016.8.24
2016.8.24.1
2016.8.28
2016.8.31
2016.9.3
2016.9.4
2016.9.4.1
2016.9.8
2016.9.11
2016.9.11.1
2016.9.15
2016.9.18
2016.9.19
2016.9.24
2016.9.27
2016.10.2
2016.10.7
2016.10.12
2016.10.16
2016.10.19
2016.10.21
2016.10.21.1
2016.10.25
2016.10.26
2016.10.31
2016.11.2
2016.11.4
2016.11.8
2016.11.8.1
2016.11.14.1
2016.11.18
2016.11.22
2016.11.27
2016.12.1
2016.12.9
2016.12.12
2016.12.15
2016.12.18
2016.12.20
2016.12.22
2016.12.31

2017.*

2017.1.2
2017.1.5
2017.1.8
2017.1.10
2017.1.14
2017.1.16
2017.1.18
2017.1.22
2017.1.24
2017.1.25
2017.1.28
2017.1.29
2017.1.31
2017.2.1
2017.2.4
2017.2.4.1
2017.2.7
2017.2.10
2017.2.11
2017.2.14
2017.2.16
2017.2.17
2017.2.21
2017.2.22
2017.2.24
2017.2.24.1
2017.2.27
2017.2.28
2017.3.2
2017.3.5
2017.3.6
2017.3.7
2017.3.10
2017.3.15
2017.3.16
2017.3.20
2017.3.22
2017.3.24
2017.3.26
2017.4.2
2017.4.3
2017.4.9
2017.4.11
2017.4.14
2017.4.15
2017.4.16
2017.4.17
2017.4.26
2017.4.28
2017.5.1
2017.5.7
2017.5.9
2017.5.14
2017.5.18
2017.5.18.1
2017.5.23
2017.5.26
2017.5.29
2017.6.5
2017.6.12
2017.6.18
2017.6.23
2017.6.25
2017.7.2
2017.7.9
2017.7.15
2017.7.23
2017.7.30.1
2017.8.6
2017.8.9
2017.8.13
2017.8.18
2017.8.23
2017.8.27
2017.8.27.1
2017.9.2
2017.9.10
2017.9.11
2017.9.15
2017.9.24
2017.10.1
2017.10.7
2017.10.12
2017.10.15
2017.10.15.1
2017.10.20
2017.10.29
2017.11.6
2017.11.15
2017.11.26
2017.12.2
2017.12.10
2017.12.14
2017.12.23
2017.12.28
2017.12.31

2018.*

2018.1.14
2018.1.18
2018.1.21
2018.1.27
2018.2.3
2018.2.4
2018.2.8
2018.2.11
2018.2.22
2018.2.25
2018.2.26
2018.3.3
2018.3.10
2018.3.14
2018.3.20
2018.3.26
2018.3.26.1
2018.4.3
2018.4.9
2018.4.16
2018.4.25
2018.5.1
2018.5.9
2018.5.18
2018.5.26
2018.5.30
2018.6.2
2018.6.4
2018.6.11
2018.6.14
2018.6.18
2018.6.19
2018.6.25
2018.7.4
2018.7.10
2018.7.21
2018.7.29
2018.8.4
2018.8.22
2018.8.28
2018.9.1
2018.9.8
2018.9.10
2018.9.18
2018.9.26
2018.10.5
2018.10.29
2018.11.3
2018.11.7
2018.11.18
2018.11.23
2018.12.3
2018.12.9
2018.12.17
2018.12.31

2019.*

2019.1.2
2019.1.10
2019.1.16
2019.1.17
2019.1.23
2019.1.24
2019.1.27
2019.1.30
2019.1.30.1
2019.2.8
2019.2.18
2019.3.1
2019.3.9
2019.3.18
2019.4.1
2019.4.7
2019.4.17
2019.4.24
2019.4.30
2019.5.11
2019.5.20
2019.6.8
2019.6.21
2019.6.27
2019.7.2
2019.7.12
2019.7.14
2019.7.16
2019.7.27
2019.7.30
2019.8.2
2019.8.13
2019.9.1
2019.9.12
2019.9.12.1
2019.9.28
2019.10.16
2019.10.22
2019.10.29
2019.11.5
2019.11.22
2019.11.28
2019.12.25

2020.*

2020.1.1
2020.1.15
2020.1.24
2020.2.16
2020.3.1
2020.3.6
2020.3.8
2020.3.24
2020.5.3
2020.5.8
2020.5.29
2020.6.6
2020.6.16
2020.6.16.1
2020.7.28
2020.9.6
2020.9.14
2020.9.20
2020.11.1
2020.11.1.1
2020.11.12
2020.11.17
2020.11.18
2020.11.19
2020.11.21
2020.11.21.1
2020.11.24
2020.11.26
2020.11.29
2020.12.2
2020.12.5
2020.12.7
2020.12.9
2020.12.12
2020.12.14
2020.12.22
2020.12.26
2020.12.29
2020.12.31

2021.*

2021.1.3
2021.1.8
2021.1.16
2021.1.24.1
2021.2.4
2021.2.4.1
2021.2.10
2021.2.22
2021.3.2
2021.3.3
2021.3.14
2021.3.25
2021.3.31
2021.4.1
2021.4.7
2021.4.17
2021.4.26
2021.5.16
2021.6.6
2021.12.17