| Название | Aandrew-me ytDownloader 3.20.2 Remote code execution via DOM XSS |
|---|
| Описание | ytDownloader is an Electron desktop application that wraps yt-dlp and ffmpeg to download videos/audio and compress media.
A DOM-based cross-site scripting (XSS) vulnerability exists in ytDownloader due to unsafe rendering of untrusted input in the Electron renderer. The application inserts attacker-controlled values into the error details panel using innerHTML without output encoding or sanitization.
Because the Electron window is created with nodeIntegration: true and contextIsolation: false, successful script execution in the renderer may lead to arbitrary local command execution with the privileges of the current user.
Affected Product
Product: ytDownloader
Repository: https://github.com/aandrew-me/ytDownloader
Affected version: 3.20.2
Severity
Critical
CVSS v3.1 Score: 9.6
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
The vulnerable sink is located in a privileged Electron renderer context. Under the current Electron configuration, DOM XSS may be escalated into local code execution.
Technical Details
The issue is caused by unsafe insertion of untrusted values into the DOM via innerHTML.
In the renderer error handling flow, the application displays the error details by interpolating untrusted data into HTML instead of rendering it as plain text. The affected values include:
attacker-controlled URL input
metadata of video or playlists
error output associated with failed metadata retrieval
Because these values are written directly into innerHTML, attacker-controlled markup may be interpreted by the DOM instead of being displayed as inert text.
The impact is significantly increased by the Electron security configuration:
nodeIntegration: true
contextIsolation: false
In this configuration, script execution in the renderer may allow access to Node.js and Electron APIs, which can potentially lead to arbitrary command execution on the local machine.
Impact
A successful attacker may be able to:
execute JavaScript in the Electron renderer
access Electron / Node.js APIs
execute arbitrary local commands with the privileges of the current user
access local files or application data
Reproduction Notes
The vulnerable behavior was observed through the application's error details rendering path when untrusted input was inserted into the DOM using innerHTML.
To avoid publishing harmful exploit material, this advisory does not include an active command-execution payload.
Root Cause
The root cause is the use of innerHTML to render untrusted input in a privileged Electron renderer.
Recommended Remediation
The issue should be fixed by:
Replacing innerHTML with safe text rendering such as:
textContent
createTextNode()
DOM node construction via append()
stderr from yt-dlp should be treated as untrusted input. If display is necessary, display it as plain text. Do not reformat it using an HTML template.
Hardening Electron renderer security settings:
set nodeIntegration to false
set contextIsolation to true
expose only minimal safe APIs through a preload script
PoC
PoC video
https://github.com/ngocnn97/security-advisories/blob/main/YtDownloader_XSS_To_RCE_PoC.mp4
Disclosure Timeline
Vulnerability discovered: 09/03/2026
Reported privately to maintainer: 10/03/2026
Maintainer acknowledged the issue: 11/03/2026
Public advisory published: 11/03/2026
Vendor Status
The maintainer has acknowledged the issue and indicated that a fix is in progress. |
|---|
| Источник | ⚠️ https://github.com/ngocnn97/security-advisories/blob/main/YtDownloader_XSS_To_RCE_PoC.mp4 |
|---|
| Пользователь | ngocnn97 (UID 96701) |
|---|
| Представление | 23.03.2026 02:45 (1 месяц назад) |
|---|
| Модерация | 13.04.2026 15:30 (21 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 357139 [aandrew-me ytDownloader до 3.20.2 Error Details Panel createTextNode межсайтовый скриптинг] |
|---|
| Баллы | 20 |
|---|