If curl is used an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's.
This is the equivalent to GHSA-v8mc-9377-rwjj for the curl downloader. The vulnerable behavior is present in yt-dlp released since 2023.09.24.
At the file download stage, the cookies are passed by yt-dlp to the file downloader via --cookie. However, unless these are loaded from a file, this operation does not activate the cookie engine. As a result, curl will send cookies with requests to domains or paths for which the cookies are not scoped.
An example of a potential attack scenario exploiting this vulnerability:
1. an attacker has crafted a malicious website with an embedded URL designed to be detected by yt-dlp as a video download. This embedded URL has the domain of a trusted site that the user has loaded cookies for, and conducts an unvalidated redirect to a target URL.
2. yt-dlp extracts this URL and calculates the cookies which are then passed to curl.
3. the download URL redirects to a server controlled by the attacker, to which curl forwards the user's sensitive cookie information.
yt-dlp version 2026.06.09 fixes this issue by doing the following:
--cookie - if curl is version 7.59 or higher.--cookie /dev/fd/0 if the system supports this device file.--cookie <file>.It is recommended to upgrade yt-dlp to version 2026.06.09 as soon as possible.
For users who are not able to upgrade:
--downloader curl.