CVE-2024-22423 in yt-dlp
Summary
by MITRE • 04/09/2024
yt-dlp is a youtube-dl fork with additional features and fixes. yt-dlp allows the user to provide shell command lines to be executed at various stages in its download steps through the `--exec` flag. This flag allows output template expansion in its argument, so that metadata values may be used in the shell commands. The metadata fields can be combined with the `%q` conversion, which is intended to quote/escape these values so they can be safely passed to the shell. However, the escaping used for `cmd` (the shell used by Python's `subprocess` on Windows) does not properly escape special characters, which can allow for remote code execution if `--exec` is used directly with maliciously crafted remote data. This vulnerability only impacts `yt-dlp` on Windows, and the vulnerability is present regardless of whether `yt-dlp` is run from `cmd` or from `PowerShell`. Support for output template expansion in `--exec`, along with this vulnerable behavior, was added to `yt-dlp` in version 2021.04.11. yt-dlp version 2023.09.24 fixes this issue by properly escaping each special character. `\n` will be replaced by `\r` as no way of escaping it has been found. It is recommended to upgrade yt-dlp to version 2023.09.24 as soon as possible. Also, always be careful when using --exec, because while this specific vulnerability has been patched, using unvalidated input in shell commands is inherently dangerous. For Windows users who are not able to upgrade: 1. Avoid using any output template expansion in --exec other than {} (filepath). 2. If expansion in --exec is needed, verify the fields you are using do not contain ", | or &. 3. Instead of using --exec, write the info json and load the fields from it instead.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/26/2026
The yt-dlp vulnerability represents a critical remote code execution flaw affecting Windows systems through improper shell command escaping in the --exec functionality. This vulnerability stems from the implementation of output template expansion within the --exec flag, which allows users to execute shell commands during download processes while incorporating metadata values. The security issue specifically manifests in the handling of special characters when Python's subprocess module executes commands on Windows systems, where the escaping mechanism for cmd.exe does not adequately handle shell metacharacters. The vulnerability was introduced in version 2021.04.11 and affects all subsequent versions up to 2023.09.24, making it a long-standing concern for Windows users who rely on yt-dlp's execution capabilities.
The technical flaw resides in the insufficient escaping of special characters when processing metadata values within shell commands, particularly affecting Windows command processors. The %q conversion intended for proper quoting and escaping fails to account for Windows-specific shell metacharacters such as pipe symbols, ampersands, and other dangerous operators that can be exploited to inject malicious commands. This vulnerability operates at the intersection of CWE-78 and CWE-88, representing both improper neutralization of special elements and command injection through unquoted arguments. Attackers can leverage this flaw by crafting malicious remote data that, when processed through the --exec flag, executes unintended shell commands on the target system. The vulnerability's impact is specifically confined to Windows environments due to the distinct shell behavior and escaping mechanisms used by cmd.exe versus Unix-like shells.
The operational impact of this vulnerability extends beyond simple code execution, as it allows attackers to potentially gain full system control through carefully crafted malicious content. Windows users running yt-dlp with the --exec flag are at risk of arbitrary command execution, which could lead to data theft, system compromise, or further network infiltration. The vulnerability's exploitation requires a maliciously crafted remote data source that gets processed through the --exec functionality, making it particularly dangerous in scenarios where users download content from untrusted sources. Security practitioners should note that this vulnerability aligns with ATT&CK technique T1059.001 for command and scripting interpreter, specifically targeting Windows Command Shell execution paths. The risk is elevated because the vulnerability exists regardless of whether yt-dlp is executed from cmd.exe or PowerShell, providing multiple attack vectors for exploitation.
Mitigation strategies should prioritize upgrading to yt-dlp version 2023.09.24, which implements proper escaping mechanisms for special characters. The fix addresses the core issue by ensuring each special character receives appropriate escaping, though it introduces a limitation where newlines are replaced with carriage returns due to the inability to escape them effectively. For users unable to upgrade immediately, several defensive measures can reduce risk exposure. The recommended approach includes avoiding output template expansion in --exec beyond basic filepath substitution, verifying that metadata fields do not contain dangerous characters like double quotes, pipes, or ampersands, and alternatively using the info json file approach for processing metadata. These mitigations align with secure coding practices and help prevent similar vulnerabilities in other applications that process user-supplied data through shell commands. The vulnerability serves as a reminder of the inherent dangers in shell command injection scenarios and the importance of proper input validation and escaping mechanisms in security-sensitive applications.