yt-dlp: File Downloader cookie leak with curl
🔗 CVE IDs covered (1)
📋 Description
Summary
If curl is used an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's.
This is the equivalent to GHSA-v8mc-9377-rwjj for the curl downloader. The vulnerable behavior is present in yt-dlp released since 2023.09.24.
Details
At the file download stage, the cookies are passed by yt-dlp to the file downloader via --cookie. However, unless these are loaded from a file, this operation does not activate the cookie engine. As a result, curl will send cookies with requests to domains or paths for which the cookies are not scoped.
An example of a potential attack scenario exploiting this vulnerability:
- an attacker has crafted a malicious website with an embedded URL designed to be detected by yt-dlp as a video download. This embedded URL has the domain of a trusted site that the user has loaded cookies for, and conducts an unvalidated redirect to a target URL.
- yt-dlp extracts this URL and calculates the cookies which are then passed to
curl. - the download URL redirects to a server controlled by the attacker, to which
curlforwards the user's sensitive cookie information.
Patches
yt-dlp version 2026.06.09 fixes this issue by doing the following:
- Pass the cookies through stdin via
--cookie -ifcurlis version 7.59 or higher. - Pass the cookies via
--cookie /dev/fd/0if the system supports this device file. - In all other cases create a temporary file, save the cookies and then pass via
--cookie <file>.
Workarounds
It is recommended to upgrade yt-dlp to version 2026.06.09 as soon as possible.
For users who are not able to upgrade:
- Do not use
--downloader curl.
🎯 Affected products1
- pip/yt-dlp:>= 2023.9.24, < 2026.6.9
🔗 References (5)
- https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-f7j3-774f-rfhj
- https://github.com/yt-dlp/yt-dlp/commit/2726572520238356bcf64aba2040228648b44c82
- https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2026.06.09.230517
- https://github.com/yt-dlp/yt-dlp/releases/tag/2026.06.09
- https://github.com/advisories/GHSA-f7j3-774f-rfhj