#VU93640 Input validation error in yt-dlp


Published: 2024-07-02

Vulnerability identifier: #VU93640

Vulnerability risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-38519

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
yt-dlp
Universal components / Libraries / Software for developers

Vendor: yt-dlp

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to software allows files with insecure extensions to be stored in the download folder. A remote attacker can trick the victim to download an executable file and execute it on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

yt-dlp: 2021.01.07 - 2024.05.27

External links
http://github.com/yt-dlp/yt-dlp/releases/tag/2024.07.01
http://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Fedora 39 update for yt-dlp
Fedora 39 update for yt-dlp
Fedora 39 update for yt-dlp
Fedora 40 update for yt-dlp
Remote code execution in yt-dlp