CVE-2023-40581
Published: 25 September 2023
Summary
CVE-2023-40581 is a high-severity OS Command Injection (CWE-78) vulnerability in Yt-Dlp Project Yt-Dlp. Its CVSS base score is 8.3 (High).
Operationally, ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
yt-dlp, a youtube-dl fork used for downloading media from online sources, contains a command-injection flaw in its handling of the --exec flag on Windows. The flag supports output-template expansion so that metadata fields can be inserted into shell commands, with a %q conversion intended to quote values safely for subprocess execution under cmd. Because the escaping logic fails to neutralize characters such as ", |, and &, an attacker-supplied value can break out of the intended command and execute arbitrary code. The issue was introduced when template expansion for --exec was added in version 2021.04.11 and affects all subsequent releases until the fix in 2023.09.24; it is present regardless of whether yt-dlp is launched from cmd or PowerShell.
An attacker who controls metadata returned by a remote site (for example, a crafted video title or description) can trigger the vulnerability when a Windows user invokes --exec with that untrusted data. Successful exploitation yields remote code execution with the privileges of the yt-dlp process, satisfying the high impact metrics recorded in the CVSS 8.3 vector.
The project’s security advisory and release notes recommend immediate upgrade to version 2023.09.24, which applies correct escaping for every special character (substituting \r for \n). Users unable to upgrade are advised to restrict --exec expansions to the literal {} filepath placeholder, to whitelist only safe metadata fields, or to export the info JSON and process fields outside the shell.
EPSS scores have remained near 0.13 with no material post-disclosure climb, and no confirmed in-the-wild exploitation has been reported.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2412
Vulnerability details
yt-dlp is a youtube-dl fork with additional features and fixes. yt-dlp allows the user to provide shell command lines to be executed at various stages in its download steps through the `--exec` flag. This flag allows output template expansion in…
more
its argument, so that metadata values may be used in the shell commands. The metadata fields can be combined with the `%q` conversion, which is intended to quote/escape these values so they can be safely passed to the shell. However, the escaping used for `cmd` (the shell used by Python's `subprocess` on Windows) does not properly escape special characters, which can allow for remote code execution if `--exec` is used directly with maliciously crafted remote data. This vulnerability only impacts `yt-dlp` on Windows, and the vulnerability is present regardless of whether `yt-dlp` is run from `cmd` or from `PowerShell`. Support for output template expansion in `--exec`, along with this vulnerable behavior, was added to `yt-dlp` in version 2021.04.11. yt-dlp version 2023.09.24 fixes this issue by properly escaping each special character. `\n` will be replaced by `\r` as no way of escaping it has been found. It is recommended to upgrade yt-dlp to version 2023.09.24 as soon as possible. Also, always be careful when using --exec, because while this specific vulnerability has been patched, using unvalidated input in shell commands is inherently dangerous. For Windows users who are not able to upgrade: 1. Avoid using any output template expansion in --exec other than {} (filepath). 2. If expansion in --exec is needed, verify the fields you are using do not contain ", | or &. 3. Instead of using --exec, write the info json and load the fields from it instead.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.