Login Sign Up

CVE-2024-22423

8.3 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in yt-dlp allows remote code execution when using the --exec option with output template expansion. Attackers can exploit insufficient escaping of environment variables to execute arbitrary commands on affected systems. Users who run yt-dlp with --exec and output template expansion are affected.

💻 Affected Systems

Products:
  • yt-dlp
Versions: 2021.04.11 through 2024.04.08
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using --exec with output template expansion (not just {}). The vulnerability requires user interaction to execute malicious commands.

📦 What is this software?

Yt Dlp by Yt Dlp Project

View all CVEs affecting Yt Dlp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the affected system, allowing data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Arbitrary command execution with the privileges of the user running yt-dlp, potentially leading to data exfiltration, cryptocurrency mining, or botnet enrollment.

🟢

If Mitigated

No impact if proper patching is applied or if --exec with template expansion is avoided.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires tricking users into running yt-dlp with malicious --exec parameters. The vulnerability is in command parsing logic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2024.04.09

Vendor Advisory: https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg

Restart Required: No

Instructions:

1. Upgrade yt-dlp to version 2024.04.09 or later. 2. On Linux/macOS: pip install --upgrade yt-dlp. 3. On Windows: yt-dlp --update or download from GitHub releases.

🔧 Temporary Workarounds

Avoid template expansion in --exec

all

Only use {} (filepath) in --exec arguments, avoid other template expansions like %(title)s

# Use only: yt-dlp --exec 'command {}'
# Avoid: yt-dlp --exec 'command %(title)s'

Use info json instead of --exec

all

Write metadata to JSON file and process separately instead of using --exec

yt-dlp --write-info-json
# Then process the JSON file with a separate script

🧯 If You Can't Patch

  • Avoid using --exec with any output template expansion other than {}
  • Validate all fields used in --exec to ensure they don't contain ", |, or & characters

🔍 How to Verify

Check if Vulnerable:

Check yt-dlp version: if between 2021.04.11 and 2024.04.08 and you use --exec with template expansion, you are vulnerable.

Check Version:

yt-dlp --version

Verify Fix Applied:

Verify yt-dlp version is 2024.04.09 or later using yt-dlp --version

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution patterns from yt-dlp processes
  • Suspicious --exec arguments in command line logs

Network Indicators:

  • Unexpected outbound connections from yt-dlp execution
  • Downloads from unusual sources

SIEM Query:

process_name:"yt-dlp" AND cmdline:"--exec" AND NOT cmdline:"\{\}"

📊 Metadata

CVE ID: CVE-2024-22423
CVSS v3 Score: 8.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-78
Published: April 9, 2024
Last Updated: January 5, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22423, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)