GHSA-f7j3-774f-rfhjMediumCVSS 6.1

yt-dlp: File Downloader cookie leak with curl

Published
June 16, 2026
Last Modified
June 16, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

If curl is used an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's.

This is the equivalent to GHSA-v8mc-9377-rwjj for the curl downloader. The vulnerable behavior is present in yt-dlp released since 2023.09.24.

Details

At the file download stage, the cookies are passed by yt-dlp to the file downloader via --cookie. However, unless these are loaded from a file, this operation does not activate the cookie engine. As a result, curl will send cookies with requests to domains or paths for which the cookies are not scoped.

An example of a potential attack scenario exploiting this vulnerability:

  1. an attacker has crafted a malicious website with an embedded URL designed to be detected by yt-dlp as a video download. This embedded URL has the domain of a trusted site that the user has loaded cookies for, and conducts an unvalidated redirect to a target URL.
  2. yt-dlp extracts this URL and calculates the cookies which are then passed to curl.
  3. the download URL redirects to a server controlled by the attacker, to which curl forwards the user's sensitive cookie information.

Patches

yt-dlp version 2026.06.09 fixes this issue by doing the following:

  • Pass the cookies through stdin via --cookie - if curl is version 7.59 or higher.
  • Pass the cookies via --cookie /dev/fd/0 if the system supports this device file.
  • In all other cases create a temporary file, save the cookies and then pass via --cookie <file>.

Workarounds

It is recommended to upgrade yt-dlp to version 2026.06.09 as soon as possible.

For users who are not able to upgrade:

  • Do not use --downloader curl.

🎯 Affected products1

  • pip/yt-dlp:>= 2023.9.24, < 2026.6.9

🔗 References (5)