GHSA-hjq6-52gw-2g7p
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hjq6-52gw-2g7p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-hjq6-52gw-2g7p/GHSA-hjq6-52gw-2g7p.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hjq6-52gw-2g7p
- Aliases
- Published
- 2024-04-10T17:07:09Z
- Modified
- 2024-08-01T03:50:08.512413Z
- Severity
-
- 8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- yt-dlp: `--exec` command injection when using `%q` in yt-dlp on Windows (Bypass of CVE-2023-40581)
- Details
-
Summary
The patch that addressed CVE-2023-40581 attempted to prevent RCE when using
--execwith%qby replacing double quotes with two double quotes. However, this escaping is not sufficient, and still allows expansion of environment variables.Support for output template expansion in
--exec, along with this vulnerable behavior, was added toyt-dlpin version 2021.04.11.> yt-dlp "https://youtu.be/42xO6rVqf2E" --ignore-config -f 18 --exec "echo %(title)q" [youtube] Extracting URL: https://youtu.be/42xO6rVqf2E [youtube] 42xO6rVqf2E: Downloading webpage [youtube] 42xO6rVqf2E: Downloading ios player API JSON [youtube] 42xO6rVqf2E: Downloading android player API JSON [youtube] 42xO6rVqf2E: Downloading m3u8 information [info] 42xO6rVqf2E: Downloading 1 format(s): 18 [download] Destination: %CMDCMDLINE:~-1%&echo pwned&calc.exe [42xO6rVqf2E].mp4 [download] 100% of 126.16KiB in 00:00:00 at 2.46MiB/s [Exec] Executing command: echo "%CMDCMDLINE:~-1%&echo pwned&calc.exe" "" pwnedPatches
yt-dlp version 2024.04.09 fixes this issue by properly escaping
%. It replaces them with%%cd:~,%, a variable that expands to nothing, leaving only the leading percent.Workarounds
It is recommended to upgrade yt-dlp to version 2024.04.09 as soon as possible. Also, always be careful when using
--exec, because while this specific vulnerability has been patched, using unvalidated input in shell commands is inherently dangerous.For Windows users who are not able to upgrade: - Avoid using any output template expansion in
--execother than{}(filepath). - If expansion in--execis needed, verify the fields you are using do not contain%,",|or&. - Instead of using--exec, write the info json and load the fields from it instead.Details
When escaping variables, the following code is used for Windows.
yt_dlp/compat/__init__.pyline 31-33def compat_shlex_quote(s): import re return s if re.match(r'^[-_\w./]+$', s) else s.replace('"', '""').join('""')It replaces
"with""to balance out the quotes and keep quoting intact if non-allowed characters are included. However, the%CMDCMDLINE%variable can be used to generate a quote using%CMDCMDLINE:~-1%; since the value of%CMDCMDLINE%is the commandline with whichcmd.exewas called, and it is always called with the command surrounded by quotes,%CMDCMDLINE:~-1%expands to". After the quotes have been unbalanced, special characters are no longer quoted and commands can be executed:%CMDCMDLINE:~-1%&calc.exeReferences
- https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p
- https://nvd.nist.gov/vuln/detail/CVE-2024-22423
- https://github.com/yt-dlp/yt-dlp/releases/tag/2024.04.09
- https://github.com/yt-dlp/yt-dlp/commit/ff07792676f404ffff6ee61b5638c9dc1a33a37a
- References
-
- https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg
- https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p
- https://nvd.nist.gov/vuln/detail/CVE-2024-22423
- https://github.com/yt-dlp/yt-dlp/commit/de015e930747165dbb8fcd360f8775fd973b7d6e
- https://github.com/yt-dlp/yt-dlp/commit/ff07792676f404ffff6ee61b5638c9dc1a33a37a
- https://github.com/yt-dlp/yt-dlp
- https://github.com/yt-dlp/yt-dlp/releases/tag/2021.04.11
- https://github.com/yt-dlp/yt-dlp/releases/tag/2024.04.09
- https://www.kb.cert.org/vuls/id/123335
Affected packages
PyPI / yt-dlp
Package
- Name
- yt-dlp
- View open source insights on deps.dev
- Purl
- pkg:pypi/yt-dlp