7.8

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-22fp-mf44-f2mq

EPSS Score

CWE

CWE-434

Published

4/18/2025

Updated

4/18/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-22fp-mf44-f2mq

GHSA-22fp-mf44-f2mq: youtube-dl vulnerable to file system modification and RCE through improper file-extension sanitization

Description

This advisory follows the security advisory GHSA-79w7-vh3h-8g4j published by the yt-dlp/yt-dlp project to aid remediation of the issue in the ytdl-org/youtube-dl project.

Vulnerability

youtube-dl does not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows).

Impact

Since youtube-dl also reads config from the working directory (and, on Windows, executables will be executed from the youtube-dl directory by default) the vulnerability could allow the unwanted execution of local code, including downloads masquerading as, eg, subtitles.

Patches

The versions of youtube-dl listed as Patched remediate this vulnerability by disallowing path separators and whitelisting allowed extensions. As a result, some very uncommon extensions might not get downloaded.

Workarounds

Any/all of the below considerations may limit exposure in case it is necessary to use a vulnerable version

have .%(ext)s at the end of the output template
download from websites that you trust
do not download to a directory within the executable search PATH or other sensitive locations, such as your user directory or system directories
in Windows versions that support it, set NoDefaultCurrentDirectoryInExePath to prevent the cmd shell's executable search adding the default directory before PATH
consider that the path traversal vulnerability as a result of resolving non_existent_dir\..\..\target does not exist in Linux or macOS
ensure the extension of the media to download is a common video/audio/... one (use --get-filename)
omit any of the subtitle options (--write-subs/ --write-srt, --write-auto-subs/--write-automatic-subs, --all-subs).

References

GHSA-79w7-vh3h-8g4j
https://github.com/ytdl-org/youtube-dl/pull/32830

(GitHub Advisory)

7.8

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-22fp-mf44-f2mq

EPSS Score

CWE

CWE-434

Published

4/18/2025

Updated

4/18/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
youtube-dl	pip	>= 2015.01.25, <= 2021.12.17	2024-07-03

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability described is due to improper file-extension sanitization, allowing path traversal and arbitrary file creation. The provided commit d42a222ed541b96649396ef00e19552aef0f09ec directly addresses this by overhauling the extension handling logic.

The analysis of the patch in youtube_dl/utils.py shows that the functions prepend_extension and replace_extension were completely rewritten. Their previous implementations (visible as removed lines in the diff) directly concatenated or formatted the filename and extension strings without any sanitization of the ext parameter. This lack of sanitization is the core of the vulnerability, as it allowed malicious strings to be passed via the ext parameter, leading to the described security issues.

The new implementations delegate the logic to a new internal function _change_extension, which in turn uses _UnsafeExtensionError.sanitize_extension. This new sanitize_extension method explicitly checks for path traversal characters ('/' and '\') and validates the extension against a whitelist of allowed extensions, throwing an _UnsafeExtensionError if the checks fail.

The functions YoutubeDL.process_info in youtube_dl/YoutubeDL.py was modified by adding the @_catch_unsafe_file_extension decorator. This indicates that process_info is a higher-level function that likely invokes (directly or indirectly) the extension manipulation functions and is now equipped to handle the errors from the new sanitization logic. However, the vulnerability itself (the lack of sanitization) was located within the prepend_extension and replace_extension functions as they existed before this patch.

Therefore, the identified vulnerable functions are the pre-patch versions of youtube_dl.utils.prepend_extension and youtube_dl.utils.replace_extension because they processed potentially malicious input (the extension string) without adequate sanitization, directly leading to the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

#### **s*ription T*is **visory *ollows t** s**urity **visory [**S*-**w*-v***-***j pu*lis*** *y t** _yt-*lp/yt-*lp_ proj**t](*ttps://*it*u*.*om/yt-*lp/yt-*lp/s**urity/**visori*s/**S*-**w*-v***-***j) to *i* r*m**i*tion o* t** issu* in t** _yt*l-or*/you

Reasoning

T** vuln*r**ility **s*ri*** is *u* to improp*r *il*-*xt*nsion s*nitiz*tion, *llowin* p*t* tr*v*rs*l *n* *r*itr*ry *il* *r**tion. T** provi*** *ommit `****************************************` *ir**tly ***r*ss*s t*is *y ov*r**ulin* t** *xt*nsion **n*l

7.8

Basic Information

Concerned about an active attack path?

GHSA-22fp-mf44-f2mq: youtube-dl vulnerable to file system modification and RCE through improper file-extension sanitization

Description

Vulnerability

Impact

Patches

Workarounds

References

7.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI