CVE-2023-40581 — OS Command Injection in Yt-dlp

CWE-78 — OS Command Injection9 documents4 sources

Severity

9.8CRITICALNVD

NVD7.8GHSA7.8OSV7.8

EPSS

10.0%

top 6.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Yt-dlp Yt-dlp Project Yt-dlp Debian Yt-dlp

Timeline

PublishedSep 25

Latest updateApr 10

Description

yt-dlp is a youtube-dl fork with additional features and fixes. yt-dlp allows the user to provide shell command lines to be executed at various stages in its download steps through the `--exec` flag. This flag allows output template expansion in its argument, so that metadata values may be used in the shell commands. The metadata fields can be combined with the `%q` conversion, which is intended to quote/escape these values so they can be safely passed to the shell. However, the escaping used fo…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5yt-dlp/yt-dlp< 2025.07.21+1

▶PyPIyt-dlp/yt-dlp2021.04.11 — 2023.09.24+1

▶NVDyt-dlp_project/yt-dlp2021.04.11 — 2023.09.24+1

▶debiandebian/yt-dlp

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

yt-dlp: `--exec` command injection when using `%q` in yt-dlp on Windows (Bypass of CVE-2023-40581)↗2024-04-10

▶

GHSA

yt-dlp: `--exec` command injection when using `%q` in yt-dlp on Windows (Bypass of CVE-2023-40581)↗2024-04-10

▶

OSV

CVE-2024-22423: yt-dlp is a youtube-dl fork with additional features and fixes↗2024-04-09

▶

GHSA

yt-dlp on Windows vulnerable to `--exec` command injection when using `%q`↗2023-09-25

▶

OSV

yt-dlp on Windows vulnerable to `--exec` command injection when using `%q`↗2023-09-25

▶

📋Vendor Advisories

Debian

CVE-2024-22423: yt-dlp - yt-dlp is a youtube-dl fork with additional features and fixes. The patch that a...↗2024

▶

Debian

CVE-2023-40581: yt-dlp - yt-dlp is a youtube-dl fork with additional features and fixes. yt-dlp allows th...↗2023

▶