Cyber Resilience

CVE-2024-22423

HighPublic PoCRCE

Published: 09 April 2024

Published
09 April 2024
Modified
05 January 2026
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0650 91.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-22423 is a high-severity OS Command Injection (CWE-78) vulnerability in Yt-Dlp Project Yt-Dlp. Its CVSS base score is 8.3 (High).

Operationally, ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

yt-dlp is a command-line tool for downloading video content that introduced support for output template expansion inside the --exec option beginning with version 2021.04.11. A prior attempt to mitigate remote code execution (CVE-2023-40581) by doubling embedded double-quote characters proved insufficient, leaving an avenue for environment-variable expansion that results in OS command injection (CWE-78). The flaw affects all releases between 2021.04.11 and 2024.04.09 and carries a CVSS 3.1 score of 8.3.

An attacker who can influence the media URL, metadata, or output template supplied to yt-dlp can craft input that, when --exec is used, causes the victim’s shell to expand variables and execute arbitrary commands. Exploitation requires the user to invoke --exec with a template containing %q or similar placeholders and therefore depends on both network-supplied data and local command-line usage.

The project’s security advisory and accompanying patches state that version 2024.04.09 resolves the issue by replacing each percent sign with the inert sequence %%cd:~,% so that only a literal percent remains after expansion. Administrators are advised to upgrade immediately; Windows users unable to upgrade should restrict --exec templates to the literal {} placeholder, validate that no field contains ", | or &, or write the info JSON and consume fields from that file instead.

EPSS scores have remained low and essentially flat (current 0.0650, peak 0.0666), indicating no material post-disclosure surge in observed exploitation activity.

EU & UK References

Vulnerability details

yt-dlp is a youtube-dl fork with additional features and fixes. The patch that addressed CVE-2023-40581 attempted to prevent RCE when using `--exec` with `%q` by replacing double quotes with two double quotes. However, this escaping is not sufficient, and still…

more

allows expansion of environment variables. Support for output template expansion in `--exec`, along with this vulnerable behavior, was added to `yt-dlp` in version 2021.04.11. yt-dlp version 2024.04.09 fixes this issue by properly escaping `%`. It replaces them with `%%cd:~,%`, a variable that expands to nothing, leaving only the leading percent. It is recommended to upgrade yt-dlp to version 2024.04.09 as soon as possible. Also, always be careful when using `--exec`, because while this specific vulnerability has been patched, using unvalidated input in shell commands is inherently dangerous. For Windows users who are not able to upgrade, avoid using any output template expansion in `--exec` other than `{}` (filepath); if expansion in `--exec` is needed, verify the fields you are using do not contain `"`, `|` or `&`; and/or instead of using `--exec`, write the info json and load the fields from it instead.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

yt-dlp project
yt-dlp
2021.04.11 — 2024.04.09

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References