CVE-2024-38519 Overview
CVE-2024-38519 is an arbitrary code execution vulnerability affecting yt-dlp and youtube-dl, popular command-line audio/video downloaders. The vulnerability exists because these tools do not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder. On Windows systems, this also enables path traversal attacks. Since both yt-dlp and youtube-dl read configuration files from the working directory, and Windows will execute binaries from the tool's directory, this vulnerability can be exploited to achieve arbitrary code execution.
Critical Impact
Attackers can craft malicious media URLs that cause arbitrary files to be written to the download directory with dangerous extensions, potentially leading to code execution when users run the tools from sensitive locations.
Affected Products
- yt-dlp versions prior to 2024.07.01
- youtube-dl versions prior to nightly builds tagged 2024-07-03
- youtube-dl versions without commit d42a222 applied
Discovery Timeline
- 2024-07-02 - CVE-2024-38519 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-38519
Vulnerability Analysis
This vulnerability stems from CWE-669 (Incorrect Resource Transfer Between Spheres), where yt-dlp and youtube-dl fail to properly validate and restrict file extensions during the download process. The lack of extension whitelisting allows attackers to craft malicious URLs that result in files being saved with arbitrary extensions, including executable formats like .exe, .bat, .cmd, or .dll on Windows systems.
The attack surface is particularly dangerous because both tools read configuration files from the current working directory. If a user downloads content to a directory that is in their system PATH, or to sensitive locations like their user directory or system32, an attacker-controlled file with an executable extension could be executed automatically or when the user next runs the tool.
Root Cause
The root cause lies in the insufficient input validation of file extensions derived from remote content. The applications trusted server-provided or URL-derived extension information without sanitizing or validating it against a list of safe, expected media file extensions. This allowed malicious actors to specify arbitrary extensions that the tools would blindly use when writing files to disk.
Attack Vector
The attack requires local access where a user must be tricked into downloading content from a malicious or compromised website. The attacker controls the file extension through the download URL or server response, and when combined with directory traversal on Windows, can write executable files to locations where they may be automatically executed. The attack succeeds when:
- The user downloads from a malicious source
- The output template doesn't enforce a safe extension
- The download occurs in a sensitive directory (PATH, user directory, system directories)
The security patches introduce an _UnsafeExtensionError class to block dangerous extensions from being downloaded:
write_json_file,
write_string,
)
-from .utils._utils import _YDLLogger
+from .utils._utils import _UnsafeExtensionError, _YDLLogger
from .utils.networking import (
HTTPHeaderDict,
clean_headers,
Source: yt-dlp Security Commit
The changelog was also updated to document the security fix:
"when": "e6a22834df1776ec4e486526f6df2bf53cb7e06f",
"short": "[ie/orf:on] Add `prefer_segments_playlist` extractor-arg (#10314)",
"authors": ["seproDev"]
+ },
+ {
+ "action": "add",
+ "when": "6aaf96a3d6e7d0d426e97e11a2fcf52fda00e733",
+ "short": "[priority] Security: [[CVE-2024-10123](https://nvd.nist.gov/vuln/detail/CVE-2024-10123)] [Properly sanitize file-extension to prevent file system modification and RCE](https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j)\n - Unsafe extensions are now blocked from being downloaded"
}
]
Source: yt-dlp Security Commit
Detection Methods for CVE-2024-38519
Indicators of Compromise
- Unexpected executable files (.exe, .bat, .cmd, .dll, .ps1) appearing in download directories
- Configuration files appearing in yt-dlp or youtube-dl working directories that were not created by the user
- Files with path traversal sequences (e.g., ../) in filenames within download folders
Detection Strategies
- Monitor file system activity for executable file creation in directories commonly used for media downloads
- Implement application whitelisting to detect unauthorized executables in user download directories
- Use endpoint detection and response (EDR) solutions to flag process execution from unusual locations such as media download folders
- Audit installed versions of yt-dlp and youtube-dl across enterprise endpoints
Monitoring Recommendations
- Enable file integrity monitoring on sensitive directories including system PATH locations, user profile directories, and system32
- Configure SentinelOne behavioral AI to detect execution of binaries from non-standard locations
- Set up alerts for yt-dlp or youtube-dl processes that spawn child processes or write executable files
- Review download directories periodically for files with unexpected extensions
How to Mitigate CVE-2024-38519
Immediate Actions Required
- Upgrade yt-dlp to version 2024.07.01 or later immediately
- Upgrade youtube-dl to nightly builds tagged 2024-07-03 or later, or apply commit d42a222
- Ensure the output template always ends with .%(ext)s to enforce proper extension handling
- Never download content to directories within PATH, system32, or other sensitive binary locations
Patch Information
The vulnerability has been fixed through extension whitelisting in both tools. For yt-dlp, the fix is included in version 2024.07.01 and later. For youtube-dl, the fix is available in commit d42a222 on the master branch and in nightly builds tagged 2024-07-03 or later. Detailed security information is available in the yt-dlp Security Advisory and the youtube-dl Security Advisory.
Workarounds
- Keep the default output template (-o "%(title)s [%(id)s].%(ext)s") to avoid custom template vulnerabilities
- Verify that downloaded media extensions are common video/audio/subtitle formats before opening
- Avoid using the generic extractor when possible, as it increases attack surface
- Use --ignore-config --config-location /trusted/path/config to prevent loading configuration from untrusted locations
- Only download from websites and sources that you explicitly trust
# Recommended secure configuration
# Use explicit config location and safe output template
yt-dlp --ignore-config --config-location ~/.config/yt-dlp/config \
-o "~/Downloads/videos/%(title)s [%(id)s].%(ext)s" \
"https://trusted-site.com/video"
# For youtube-dl with similar protections
youtube-dl --ignore-config --config-location ~/.config/youtube-dl/config \
-o "~/Downloads/videos/%(title)s [%(id)s].%(ext)s" \
"https://trusted-site.com/video"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
