cvedb.io
CVE-2023-35934
MEDIUM · CVSS 6.1
EPSS exploitation probability: 0%
Published 2023-07-06T20:15:09.333 · Last modified 2026-06-17T06:05:29.993

Summary

yt-dlp is a command-line program to download videos from video sites. During file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest's host. This vulnerable behavior is present in yt-dlp prior to 2023.07.06 and nightly 2023.07.06.185519. All native and external downloaders are affected, except for `curl` and `httpie` (version 3.1.0 or later). At the file download stage, all cookies are passed by yt-dlp to the file downloader as a `Cookie` header, thereby losing their scope. This also occurs in yt-dlp's info JSON output, which may be used by external tools. As a result, the downloader or external tool may indiscriminately send cookies w

Affected products

youtube-dlc_project — youtube-dlc

Does this affect you?

Add your gear to cvedb and we'll alert you only when youtube-dlc_project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.