This advisory follows the security advisory GHSA-v8mc-9377-rwjj published by the yt-dlp/yt-dlp project to aid remediation of the issue in the ytdl-org/youtube-dl project.
Vulnerability
During file downloads, youtube-dl or the external downloaders that it invokes may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest's host.
This vulnerable behaviour is present in all versions of youtube-dl and forks released since 2015-01-25. All native and external downloaders are affected, except for curl and httpie (for version 3.1.0 or later).
At the file download stage, all cookies are passed by youtube-dl to the file downloader as a Cookie header, thereby losing their scope. This also occurs in the .info.json output, which may be used by external tools. As a result, the downloader or external tool may indiscriminately send cookies with requests to domains or paths for which the cookies are not scoped.
Impact
In a worst case scenario, this vulnerability could allow a threat actor to exfiltrate a user's account cookies for a site. For example, a malicious actor could use a URL redirect vulnerability in the target site for which the user has account cookies to redirect to the actor's server. A maliciously crafted website could cause youtube-dl to use this URL as a download format and leak the user's account cookies to the malicious actor.
Patches
The master code of youtube-dl as of 2023-07-18 remediates this vulnerability by:
- removing the
Cookie header on HTTP redirects
- having native downloaders calculate their own Cookie header from the Cookiejar
- using each external downloader's built-in support for cookies, instead of passing them as header arguments; or if the external downloader does not have proper cookie support, disabling HTTP redirection (axel only)
- processing cookies passed as HTTP headers to limit their scope (
--add-header "Cookie:..." is scoped to the input URL domain only)
- storing cookies in a separate cookies field of the info dict instead of http_headers so as not to lose their scope.
These changes are incorporated in nightly builds dated 2023-07-18 or later.
Workarounds
For users who are not able to upgrade youtube-dl from master code or install a nightly release:
- avoid using cookies and user authentication methods (
--cookies, --password/-p, --netrc); while extractors may set custom cookies, these usually do not contain sensitive information.
- avoid using
--load-info-json.
If authentication is a must:
- verify integrity of download links from unknown sources in the browser (including redirects) before passing them to youtube-dl
- use curl as an external downloader, as it is not affected (
--downloader curl)
- avoid fragmented formats such as HLS/m3u8, DASH/mpd and ISM (use
-f "(bestvideo+bestaudio/best)[protocol^=http]").
References
This advisory follows the security advisory GHSA-v8mc-9377-rwjj published by the yt-dlp/yt-dlp project to aid remediation of the issue in the ytdl-org/youtube-dl project.
Vulnerability
During file downloads, youtube-dl or the external downloaders that it invokes may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest's host.
This vulnerable behaviour is present in all versions of youtube-dl and forks released since 2015-01-25. All native and external downloaders are affected, except for curl and httpie (for version 3.1.0 or later).
At the file download stage, all cookies are passed by youtube-dl to the file downloader as a
Cookieheader, thereby losing their scope. This also occurs in the.info.jsonoutput, which may be used by external tools. As a result, the downloader or external tool may indiscriminately send cookies with requests to domains or paths for which the cookies are not scoped.Impact
In a worst case scenario, this vulnerability could allow a threat actor to exfiltrate a user's account cookies for a site. For example, a malicious actor could use a URL redirect vulnerability in the target site for which the user has account cookies to redirect to the actor's server. A maliciously crafted website could cause youtube-dl to use this URL as a download format and leak the user's account cookies to the malicious actor.
Patches
The master code of youtube-dl as of 2023-07-18 remediates this vulnerability by:
Cookieheader on HTTP redirects--add-header "Cookie:..."is scoped to the input URL domain only)These changes are incorporated in nightly builds dated 2023-07-18 or later.
Workarounds
For users who are not able to upgrade youtube-dl from master code or install a nightly release:
--cookies,--password/-p,--netrc); while extractors may set custom cookies, these usually do not contain sensitive information.--load-info-json.If authentication is a must:
--downloader curl)-f "(bestvideo+bestaudio/best)[protocol^=http]").References