Bug 2249769 (CVE-2023-46121) - CVE-2023-46121 yt-dlp: Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection
Summary: CVE-2023-46121 yt-dlp: Generic Extractor MITM Vulnerability via Arbitrary Pro...
Status: NEW
Alias: CVE-2023-46121
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Product Security
QA Contact:
Depends On: 2249770
TreeView+ depends on / blocked
Reported: 2023-11-15 09:12 UTC by ybuenos
Modified: 2023-11-15 09:13 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description ybuenos 2023-11-15 09:12:56 UTC
yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases. Version 2023.11.14 removed the ability to smuggle `http_headers` to the Generic extractor, as well as other extractors that use the same pattern. Users are advised to upgrade. Users unable to upgrade should disable the Ggneric extractor (or only pass trusted sites with trusted content) and ake caution when using `--no-check-certificate`.

Comment 1 ybuenos 2023-11-15 09:13:10 UTC
Created yt-dlp tracking bugs for this issue:

Affects: fedora-all [bug 2249770]

Note You need to log in before you can comment on or make changes to this bug.