-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| yt-dlp | pip | >= 2021.04.11, < 2023.09.24 | 2023.09.24 |
Miggo AIRoot Cause AnalysisThe vulnerability stemmed from two key issues: 1) compat_shlex_quote's improper escaping for cmd.exe (using " instead of ""), which is directly shown in the commit diff. 2) The Popen implementation didn't properly wrap commands in cmd.exe's required quoting syntax. These functions together failed to safely handle user-controlled metadata fields passed via --exec %q, allowing command injection. The commit fixes both: replacing escape methods in compat_shlex_quote and modifying Popen to use cmd.exe's /V:OFF /C quoting approach.
PythonPythonyt-dlp version 2023.09.24 fixes this issue by properly escaping each special character.
\n will be replaced by \r, as no way of escaping it has been found.
It is recommended to upgrade yt-dlp to version 2023.09.24 as soon as possible. Also, always be careful when using --exec, because while this specific vulnerability has been patched, using unvalidated input in shell commands is inherently dangerous.
For Windows users who are not able to upgrade:
--exec other than {} (filepath).--exec is needed, verify the fields you are using do not contain ", | or &.--exec, write the info json and load the fields from it instead.Ongoing coverage of React2Shell