Home > Vulnerability Database > CVE-2023-46121

Mend.io Vulnerability Database

CVE-2023-46121

Good to know:

Date: November 14, 2023

yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases. Version 2023.11.14 removed the ability to smuggle `http_headers` to the Generic extractor, as well as other extractors that use the same pattern. Users are advised to upgrade. Users unable to upgrade should disable the Ggneric extractor (or only pass trusted sites with trusted content) and ake caution when using `--no-check-certificate`.

Language: Python

Severity Score

5.0

Related Resources (6)

Url: https://github.com/yt-dlp/yt-dlp/commit/f04b5bedad7b281bee9814686bba1762bae092eb

Url: https://github.com/yt-dlp/yt-dlp/releases/tag/2023.11.14

Url: https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3ch3-jhc6-5r8x

Url: https://github.com/yt-dlp/yt-dlp

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-46121

Url: https://www.mend.io/vulnerability-database/CVE-2023-46121

Severity Score

5.0

Weakness Type (CWE)

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CWE-444

Insufficient Session Expiration

CWE-613

Top Fix

Upgrade Version

Upgrade to version yt-dlp - 2023.11.14

Learn More

CVSS v3.1

Base Score:	5.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2023-46121

Good to know:

Date: November 14, 2023

Language: Python

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?