CVE-2023-40581: `--exec` command injection vulnerability when using `%q` on Windows

https://nvd.nist.gov/vuln/detail/CVE-2023-40581

On Windows, the %q expansion fails to properly escape special values, which can lead to remote code being executed when combined with --exec.

Support for output template expansion in --exec, along with this vulnerable behavior, was added to yt-dlp in version 2021.04.11.

For more technical details, see the security advisory on GitHub.

What do I need to do?

Windows users:

Update to 2023.09.24 (or nightly 2023.09.24.003044) as soon as possible.
- yt-dlp -U if you are using the binary.
- For others: https://github.com/yt-dlp/yt-dlp/wiki/Installation

Reminder: --exec can execute anything, and while this vulnerability has been patched, you should always try and be careful with it. Never use commands that you don't fully understand!

What if I am unable to update?

For Windows users who are not able to upgrade:

Avoid using any output template expansion in --exec other than {} (filepath)
If expansion in --exec is needed, verify the fields you are using do not contain ", | or &
Instead of using --exec to run the program, write the info json and load required fields from there directly into your program, if supported

Madison Howard

Share Your Mood

coletdev

CVE-2023-40581: `--exec` command injection vulnerability when using `%q` on Windows

What do I need to do?

What if I am unable to update?