CVE-2024-22423 Overview
CVE-2024-22423 is a critical remote code execution (RCE) vulnerability in yt-dlp, a popular youtube-dl fork. This vulnerability is a bypass of the incomplete fix for CVE-2023-40581, which attempted to prevent RCE when using the --exec command with the %q output template. The original patch replaced double quotes with two double quotes, but this escaping mechanism was insufficient and still allowed expansion of environment variables on Windows systems.
The vulnerability exists because the shell escape function failed to properly neutralize percent signs (%), which Windows interprets as environment variable delimiters. An attacker controlling media metadata (such as video titles or descriptions) can inject malicious payloads that execute arbitrary commands when processed through the --exec parameter.
Critical Impact
Remote attackers can achieve arbitrary code execution on Windows systems by crafting malicious media metadata that exploits environment variable expansion when users process content with yt-dlp's --exec functionality.
Affected Products
- yt-dlp versions from 2021.04.11 to before 2024.04.09
Discovery Timeline
- April 9, 2024 - CVE-2024-22423 published to NVD
- January 5, 2026 - Last updated in NVD database
Technical Details for CVE-2024-22423
Vulnerability Analysis
This vulnerability represents a command injection flaw (CWE-78) that enables remote code execution through improper neutralization of special elements used in OS commands. The vulnerable behavior was introduced in yt-dlp version 2021.04.11 when support for output template expansion in the --exec parameter was added.
The core issue lies in the Windows-specific shell quoting function within yt-dlp's compatibility layer. While the previous patch for CVE-2023-40581 addressed double quote escaping by replacing \" with "", it failed to account for Windows environment variable expansion syntax. On Windows, text enclosed in percent signs (e.g., %USERNAME%) is expanded to the corresponding environment variable value before command execution.
An attacker can exploit this by embedding specially crafted strings in media metadata fields that, when processed by yt-dlp's --exec functionality, result in command injection through environment variable expansion or by using pipe (|) and ampersand (&) characters to chain additional commands.
Root Cause
The root cause is insufficient input sanitization in the compat_shlex_quote function within yt_dlp/compat/__init__.py. The function was designed to safely quote strings for shell execution on Windows, but it only handled double quote characters while leaving percent signs, backslashes, and newline characters unescaped. This allowed attackers to inject payloads that bypass the quoting mechanism through Windows environment variable expansion.
Attack Vector
The attack is network-based and requires no authentication or user interaction beyond a victim processing malicious content. An attacker can:
- Host or control media content with malicious metadata (video title, description, etc.)
- Wait for a victim to download or process this content using yt-dlp with the --exec option and %q template expansion
- The malicious metadata containing percent signs, pipes, or ampersands gets passed unsanitized to the shell
- Arbitrary commands execute in the context of the yt-dlp process
The following code shows the security patches applied to address this vulnerability:
# Original vulnerable code in yt_dlp/compat/__init__.py
if compat_os_name == 'nt':
def compat_shlex_quote(s):
import re
return s if re.match(r'^[-_\w./]+$', s) else '"%s"' % s.replace('"', '\\"')
# Initial patch attempt (still vulnerable - CVE-2023-40581 fix)
if compat_os_name == 'nt':
def compat_shlex_quote(s):
import re
return s if re.match(r'^[-_\w./]+$', s) else s.replace('"', '""').join('""')
Source: GitHub Commit de015e9307
The final fix in version 2024.04.09 properly escapes percent signs by replacing them with %%cd:~,%, a variable that expands to nothing, leaving only the leading percent and preventing environment variable expansion.
[priority] Security: [[CVE-2024-22423](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22423)] [Prevent RCE when using `--exec` with `%q` on Windows](https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p)
- The shell escape function now properly escapes `%`, `\\` and `\\n`.
- `utils.Popen` has been patched accordingly.
Source: GitHub Commit ff07792676
Detection Methods for CVE-2024-22423
Indicators of Compromise
- Unusual command execution spawned as child processes of yt-dlp on Windows systems
- Media files or streams with metadata containing suspicious patterns such as %, |, or & characters combined with command syntax
- Process monitoring showing yt-dlp executing unexpected binaries or scripts
- Anomalous network connections initiated by processes spawned from yt-dlp execution chains
Detection Strategies
- Monitor process creation events for yt-dlp with --exec parameters, especially those using %q template expansion
- Implement YARA rules to detect media files with metadata containing potential command injection patterns
- Deploy endpoint detection rules that alert on suspicious child process spawning from yt-dlp processes
- Audit scripts and automation workflows that use yt-dlp with --exec functionality
Monitoring Recommendations
- Enable command-line logging on Windows systems to capture full yt-dlp invocations
- Implement process tree monitoring to detect unexpected command chains originating from yt-dlp
- Review and audit any automated systems that process untrusted media content through yt-dlp
How to Mitigate CVE-2024-22423
Immediate Actions Required
- Upgrade yt-dlp to version 2024.04.09 or later immediately
- Audit existing scripts and workflows for usage of --exec with %q or other template expansions
- Temporarily disable --exec functionality if immediate upgrade is not possible
- Restrict yt-dlp execution to trusted content sources only until patched
Patch Information
The yt-dlp maintainers released version 2024.04.09 which fixes this vulnerability by properly escaping percent signs using the %%cd:~,% technique. This ensures that percent characters in user-controlled input cannot trigger environment variable expansion on Windows.
Relevant security resources:
- GitHub Security Advisory GHSA-hjq6-52gw-2g7p
- GitHub Release 2024.04.09
- CERT Vulnerability Note #123335
Workarounds
- For Windows users unable to upgrade: avoid using any output template expansion in --exec other than {} (filepath)
- If template expansion in --exec is required: manually verify that fields being used do not contain ", |, or & characters
- Consider writing info JSON to file and loading fields from it instead of using --exec directly
- Use caution when processing any media from untrusted sources, as using unvalidated input in shell commands is inherently dangerous
# Safe alternative: Write info to JSON and process separately
yt-dlp --write-info-json -o "%(title)s.%(ext)s" "VIDEO_URL"
# Then parse the .info.json file in your script instead of using --exec
# If upgrade is possible, update yt-dlp:
pip install -U yt-dlp
# Or using pipx:
pipx upgrade yt-dlp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
