Vulnerability in Ytdl-org Youtube-dl
CVE-2024-38519
`yt-dlp` and `youtube-dl` are command-line audio/video downloaders. Prior to the fixed versions, `yt-dlp` and `youtube-dl` do not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the downlo…
EPSS: 0.000 (14.2th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.8 (High). Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.
Affected products
- Ytdl-org Youtube-dl — versions >= 2015.01.25, nightly
- Yt-dlp — versions < 2024.07.01
Weakness classification (CWE)
Public proof-of-concept exploits
References
- https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j (x_refsource_CONFIRM)
- https://github.com/yt-dlp/yt-dlp/commit/5ce582448ececb8d9c30c8c31f58330090ced03a (x_refsource_MISC)
- https://github.com/yt-dlp/yt-dlp/releases/tag/2024.07.01 (x_refsource_MISC)
- https://securitylab.github.com/advisories/GHSL-2024-090_yt-dlp (x_refsource_MISC)
- github.com/dirkf/youtube-dl/security/advisories/GHSA-22fp-mf44-f2mq (x_refsource_MISC)
- securitylab.github.com/advisories/GHSL-2024-089_youtube-dl/ (x_refsource_MISC)
- github.com/ytdl-org/youtube-dl/pull/32830 (x_refsource_MISC)
- github.com/ytdl-org/youtube-dl/commit/d42a222ed541b96649396ef00e19552aef0f09ec (x_refsource_MISC)
Frequently asked questions
- What is CVE-2024-38519?
- CVE-2024-38519 is a high-severity vulnerability in Ytdl-org Youtube-dl, classified under Incorrect Resource Transfer Between Spheres. CVSS score: 7.8/10. Published 2024-07-02.
- How severe is CVE-2024-38519?
- High severity. CVSS v3 base score is 7.8 out of 10.
- Is CVE-2024-38519 known to be exploited?
- 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.