Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attacker-controlled remote manifest is delivered network-wide with no auth (AV:N/PR:N) but needs the victim to run a download with aria2c (UI:R); file write escapes yt-dlp's intended scope into host code execution (S:C, C/I/A:H).
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
8Blast Radius
ecosystem impact- 6 pypi packages depend on yt-dlp (6 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.6.9.
DescriptionNVD
Summary
If aria2c is used as an external downloader for a fragmented manifest format (such as an HLS/DASH stream), yt-dlp passes insufficiently sanitized input to aria2c that allows an attacker to perform an arbitrary file write. On Windows platforms, this can lead to immediate arbitrary code execution. On non-Windows platforms, this can lead to arbitrary code execution upon the next invocation of yt-dlp.
Details
When downloading a fragmented manifest format such as an HLS or DASH stream, yt-dlp first extracts a list of all fragment URLs from the stream's manifest. If the user has selected aria2c as an external downloader, yt-dlp then constructs an input file for aria2c from the fragment URL list and passes its filepath as the argument to aria2c's -i option.
aria2c's -i (or --input-file) option allows for downloading a list of URIs from the given text file. The text file must be formatted as a list of URIs separated by newlines. aria2c's format permits configuration lines for each URI, which can contain command-line options to be given to aria2c. These optional lines follow each URI line and are signified only by leading whitespace. yt-dlp constructs the input file with these optional lines so that it's able to specify the output filename for each fragment using the out= option.
yt-dlp's utilization of the aria2c input file format presents two known attack vectors:
- An attacker can craft a malicious DASH manifest with one or more fragment URLs that contain
, which is the HTML escape sequence for a newline. yt-dlp interprets this escape sequence as an actual newline character when writing the fragment URLs to the aria2c input file, which allows for an attacker to inject arbitrary aria2c options into the input file. With option injection, the attacker can achieve arbitrary file writes. This attack vector is possible only via downloads of DASH formats, since their manifests are an XML format which necessitates unescaping of HTML special characters. - An attacker can craft a malicious metadata response where the data parsed by yt-dlp as the
titlefield (or any other metadata field that the user includes in their output template) contains strategically placed newlines and magnet URIs. If the user has passed the--no-windows-filenameoption to disable sanitization of newlines in output filenames, the attacker is able to achieve arbitrary file writes by injecting arbitrary URIs and options into the aria2c input file. This attack vector is possible via downloads of both HLS and DASH formats.
On Windows, attacker-controlled file writes can lead to immediate arbitrary code execution: the attacker could write a malicious executable file named ffmpeg.exe to the current working directory, and it could be invoked during the postprocessing stage if the user's yt-dlp.exe also resides in the current working directory.
On all platforms, attacker-controlled file writes can lead to arbitrary code execution on repeat invocations of yt-dlp: the attacker could write a yt-dlp configuration file (yt-dlp.conf) to the current working directory containing a malicious --exec argument.
Patches
yt-dlp version 2026.06.09 fixes this issue by removing support for downloading fragmented manifest formats with aria2c.
Workarounds
It is recommended to upgrade yt-dlp to version 2026.06.09 as soon as possible.
For users who are not able to upgrade:
- Add
--downloader dash,m3u8:nativeto your yt-dlp command.
AnalysisAI
Arbitrary code execution in yt-dlp versions before 2026.06.09 occurs when aria2c is selected as the external downloader for fragmented HLS/DASH streams, allowing a malicious manifest or metadata server to inject options into aria2c's input file and write attacker-controlled files. On Windows this yields immediate code execution via a planted ffmpeg.exe, while on all platforms it enables code execution on the next run via a planted yt-dlp.conf with a malicious --exec. CVSS is 9.6 (critical), but there is no public exploit identified at time of analysis, EPSS is low (0.40%, 32th percentile), and CISA SSVC marks exploitation as none.
Technical ContextAI
The flaw is a CWE-74 injection (improper neutralization of special elements) in how yt-dlp builds the aria2c '-i'/'--input-file' file. aria2c's input-file format treats indented lines following a URI as per-URI command-line options (e.g. 'out=' for the output filename), so any newline an attacker can smuggle into a fragment URL or filename becomes a new aria2c directive. Two vectors exist: (1) a DASH manifest is XML, so a fragment URL containing the HTML entity ' ' is unescaped to a real newline, letting an attacker inject arbitrary aria2c options; (2) crafted metadata (e.g. the 'title' field used in the output template) carrying newlines and magnet URIs, reachable on both HLS and DASH, but only when the user has set --no-windows-filename to disable newline sanitization. The affected package is pkg:pip/yt-dlp; the upstream fix (commit 25056f0d) removes aria2c support for fragmented manifests entirely and trims its SUPPORTED_PROTOCOLS back to http/https/ftp/ftps.
RemediationAI
Vendor-released patch: upgrade to yt-dlp 2026.06.09 (or later), which removes aria2c support for fragmented HLS/DASH downloads (commit https://github.com/yt-dlp/yt-dlp/commit/25056f0d2d47adbd235a8d422fa62d68d0be2bc2; release https://github.com/yt-dlp/yt-dlp/releases/tag/2026.06.09). For users who cannot upgrade immediately, the vendor-recommended workaround is to force the native downloaders for fragmented formats by adding '--downloader dash,m3u8:native' to the yt-dlp command, which avoids handing fragment lists to aria2c at the cost of losing aria2c's parallelized fragment downloading speed. As additional hardening, avoid running yt-dlp (or yt-dlp.exe) from the same directory you download into so a planted ffmpeg.exe or yt-dlp.conf is not picked up, and do not use --no-windows-filename with untrusted sources. See GHSA-vx4q-3cr2-7cg2 for full details.
Vendor StatusVendor
SUSE
| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38495
GHSA-vx4q-3cr2-7cg2