{"id":"CVE-2024-38519","summary":"yt-dlp and youtube-dl vulnerable to file system modification and RCE through improper file-extension sanitization","details":"`yt-dlp` and `youtube-dl` are command-line audio/video downloaders. Prior to the fixed versions, `yt-dlp` and `youtube-dl` do not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows). Since `yt-dlp` and `youtube-dl` also read config from the working directory (and on Windows executables will be executed from the `yt-dlp` or `youtube-dl` directory), this could lead to arbitrary code being executed.\n\n\n\n\n`yt-dlp` version 2024.07.01 fixes this issue by whitelisting the allowed extensions. `youtube-dl` fixes this issue in commit `d42a222` on the `master` branch and in nightly builds tagged 2024-07-03 or later. This might mean some very uncommon extensions might not get downloaded, however it will also limit the possible exploitation surface. In addition to upgrading, have `.%(ext)s` at the end of the output template and make sure the user trusts the websites that they are downloading from. Also, make sure to never download to a directory within PATH or other sensitive locations like one's user directory, `system32`, or other binaries locations. For users who are not able to upgrade, keep the default output template (`-o \"%(title)s [%(id)s].%(ext)s`); make sure the extension of the media to download is a common video/audio/sub/... one; try to avoid the generic extractor; and/or use `--ignore-config --config-location ...` to not load config from common locations.","aliases":["GHSA-79w7-vh3h-8g4j"],"modified":"2026-04-10T05:15:46.792473Z","published":"2024-07-02T13:47:36.399Z","related":["GHSA-22fp-mf44-f2mq","GHSA-79w7-vh3h-8g4j","openSUSE-SU-2024:14094-1"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/38xxx/CVE-2024-38519.json","cwe_ids":["CWE-669"]},"references":[{"type":"WEB","url":"https://github.com/yt-dlp/yt-dlp/releases/tag/2024.07.01"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/38xxx/CVE-2024-38519.json"},{"type":"ADVISORY","url":"https://github.com/dirkf/youtube-dl/security/advisories/GHSA-22fp-mf44-f2mq"},{"type":"ADVISORY","url":"https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38519"},{"type":"ADVISORY","url":"https://securitylab.github.com/advisories/GHSL-2024-089_youtube-dl/"},{"type":"ADVISORY","url":"https://securitylab.github.com/advisories/GHSL-2024-090_yt-dlp"},{"type":"FIX","url":"https://github.com/yt-dlp/yt-dlp/commit/5ce582448ececb8d9c30c8c31f58330090ced03a"},{"type":"FIX","url":"https://github.com/ytdl-org/youtube-dl/commit/d42a222ed541b96649396ef00e19552aef0f09ec"},{"type":"FIX","url":"https://github.com/ytdl-org/youtube-dl/pull/32830"},{"type":"PACKAGE","url":"https://github.com/ytdl-org/youtube-dl"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/yt-dlp/yt-dlp","events":[{"introduced":"0"},{"fixed":"5ce582448ececb8d9c30c8c31f58330090ced03a"}]},{"type":"GIT","repo":"https://github.com/yt-dlp/yt-dlp","events":[{"introduced":"0"},{"fixed":"cd68258225dc813c74fbda4c4fda0c736d6fda10"}]},{"type":"GIT","repo":"https://github.com/yt-dlp/yt-dlp","events":[{"introduced":"0"},{"fixed":"5ce582448ececb8d9c30c8c31f58330090ced03a"}]},{"type":"GIT","repo":"https://github.com/yt-dlp/yt-dlp","events":[{"introduced":"0"},{"fixed":"cd68258225dc813c74fbda4c4fda0c736d6fda10"}]}],"versions":["2021.01.07","2021.01.08","2021.01.09","2021.01.10","2021.01.12","2021.01.14","2021.01.16","2021.01.20","2021.01.29","2021.02.04","2021.02.09","2021.02.15","2021.02.19","2021.02.24","2021.03.01","2021.03.03.2","2021.03.07","2021.03.15","2021.03.24","2021.03.24.1","2021.04.03","2021.04.11","2021.04.22","2021.05.11","2021.06.01","2021.06.08","2021.06.09","2021.06.23","2021.07.07","2021.07.21","2021.07.24","2021.08.02","2021.08.10","2021.09.02","2021.09.25","2021.10.09","2021.10.10","2021.10.22","2021.11.10","2021.11.10.1","2021.12.01","2021.12.25","2021.12.27","2022.02.03","2022.02.04","2022.03.08.1","2022.04.08","2022.05.18","2022.06.22","2022.06.22.1","2022.06.29","2022.07.18","2022.08.08","2022.08.14","2022.08.19","2022.09.01","2022.10.04","2022.11.11","2023.01.02","2023.01.06","2023.02.17","2023.03.03","2023.03.04","2023.06.21","2023.06.22","2023.07.06","2023.09.24","2023.10.07","2023.10.13","2023.11.14","2023.11.16","2023.12.30","2024.03.10","2024.04.09","2024.05.26","2024.05.27"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-38519.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/ytdl-org/youtube-dl","events":[{"introduced":"0"},{"fixed":"d42a222ed541b96649396ef00e19552aef0f09ec"}]},{"type":"GIT","repo":"https://github.com/ytdl-org/youtube-dl","events":[{"introduced":"0"},{"fixed":"d42a222ed541b96649396ef00e19552aef0f09ec"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-38519.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}