Yt Dlp
CVE-2023-46121
LOW
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 1 pypi packages depend on yt-dlp (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2022.10.04.
DescriptionNVD
yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases. Version 2023.11.14 removed the ability to smuggle http_headers to the Generic extractor, as well as other extractors that use the same pattern. Users are advised to upgrade. Users unable to upgrade should disable the Ggneric extractor (or only pass trusted sites with trusted content) and ake caution when using --no-check-certificate.
AnalysisAI
yt-dlp is a youtube-dl fork with additional features and fixes. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.
Technical ContextAI
This vulnerability is classified as HTTP Request/Response Smuggling (CWE-444), which allows attackers to manipulate HTTP request interpretation between frontend and backend servers. yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases. Version 2023.11.14 removed the ability to smuggle http_headers to the Generic extractor, as well as other extractors that use the same pattern. Users are advised to upgrade. Users unable to upgrade should disable the Ggneric extractor (or only pass trusted sites with trusted content) and ake caution when using --no-check-certificate. Affected products include: Yt-Dlp Project Yt-Dlp. Version information: Version 2023.11.14.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Enforce strict HTTP parsing, normalize requests at proxy layer, use HTTP/2 end-to-end, reject ambiguous headers.
Command injection via Windows CreateProcess argument parsing affects multiple language runtimes and tooling (Node.js, PH
yt-dlp is a command-line audio/video downloader. [CVSS 8.8 HIGH]
yt-dlp is a youtube-dl fork with additional features and fixes. Rated high severity (CVSS 7.8), this vulnerability is no
Command injection in yt-dlp and youtube-dl before 2026.7.4 lets a malicious video/webpage host smuggle attacker-controll
yt-dlp is a command-line program to download videos from video sites. Rated high severity (CVSS 8.2), this vulnerability
Same weakness CWE-444 – HTTP Request/Response Smuggling
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today