Published: 15/11/2023 Updated: 22/11/2023

CVSS v3 Base Score: 3.7 | Impact Score: 1.4 | Exploitability Score: 2.2

VMScore: 0

yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the malicious user to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases. Version 2023.11.14 removed the ability to smuggle `http_headers` to the Generic extractor, as well as other extractors that use the same pattern. Users are advised to upgrade. Users unable to upgrade should disable the Ggneric extractor (or only pass trusted sites with trusted content) and ake caution when using `--no-check-certificate`.

Vulnerable Product	Search on Vulmon	Subscribe to Product
yt-dlp project yt-dlp

Debian Bug report logs - #1055996 yt-dlp: CVE-2023-46121: Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection Package: src:yt-dlp; Maintainer for src:yt-dlp is Unit 193 <unit193@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 15 Nov 2023 19:33:02 UTC Severity: important Ta ...

CWE-444 https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3ch3-jhc6-5r8x https://github.com/yt-dlp/yt-dlp/commit/f04b5bedad7b281bee9814686bba1762bae092eb https://github.com/yt-dlp/yt-dlp/releases/tag/2023.11.14 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055996 https://nvd.nist.gov

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2023-46121

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect