CVE-2023-35934

Summary

CVE-2023-35934 is a vulnerability affecting yt-dlp, a command-line program used for downloading videos, prior to version 2023.07.06 and nightly 2023.07.06.185519. During the file download process, yt-dlp or its external downloaders may leak cookies, resulting in unintended transmission to different domains or paths. This issue arises because all cookies are passed as `Cookie` headers during HTTP redirects or manifest downloads. The vulnerability impacts all native and external downloaders, except for `curl` (version 3.1.0 or later) and `httpie`. To address this issue, yt-dlp version 2023.07.06 and nightly 2023.07.06.185519 introduced modifications such as removing the `Cookie` header upon redirects, utilizing built-in cookie support in external downloaders, and disabling redirection when external downloaders lack proper cookie support. For those unable to upgrade, workarounds include avoiding cookies and user authentication methods, disabling the `--load-info-json` option, or using `curl` as the external downloader. Users should also ensure the integrity of download links from unknown sources before passing them to yt-dlp and avoid fragmented formats like HLS/m3u8, DASH/mpd, and ISM.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.