CVE-2024-22423 — OS Command Injection in Yt-dlp

CWE-78 — OS Command Injection7 documents4 sources

Severity

9.8CRITICALNVD

NVD8.1GHSA7.8OSV7.8

EPSS

4.9%

top 10.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Yt-dlp Yt-dlp Project Yt-dlp Debian Yt-dlp

Timeline

PublishedApr 9

Latest updateApr 10

Description

yt-dlp is a youtube-dl fork with additional features and fixes. The patch that addressed CVE-2023-40581 attempted to prevent RCE when using `--exec` with `%q` by replacing double quotes with two double quotes. However, this escaping is not sufficient, and still allows expansion of environment variables. Support for output template expansion in `--exec`, along with this vulnerable behavior, was added to `yt-dlp` in version 2021.04.11. yt-dlp version 2024.04.09 fixes this issue by properly escapin…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5yt-dlp/yt-dlp< 2025.07.21

▶PyPIyt-dlp/yt-dlp2021.04.11 — 2024.04.09

▶NVDyt-dlp_project/yt-dlp2021.04.11 — 2024.04.09+1

▶debiandebian/yt-dlp

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

yt-dlp: `--exec` command injection when using `%q` in yt-dlp on Windows (Bypass of CVE-2023-40581)↗2024-04-10

▶

GHSA

yt-dlp: `--exec` command injection when using `%q` in yt-dlp on Windows (Bypass of CVE-2023-40581)↗2024-04-10

▶

OSV

CVE-2024-22423: yt-dlp is a youtube-dl fork with additional features and fixes↗2024-04-09

▶

📋Vendor Advisories

Debian

CVE-2025-54072: yt-dlp - yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.0...↗2025

▶

Debian

CVE-2024-22423: yt-dlp - yt-dlp is a youtube-dl fork with additional features and fixes. The patch that a...↗2024

▶