YoutubeDLSharp Command Injection Vulnerability in Yt-dlp Integration on Windows

A command injection vulnerability has been identified in YoutubeDLSharp, a .NET wrapper for the video downloaders youtube-dl and yt-dlp. This issue affects versions 1.0.0-beta4 prior to 1.1.2. The vulnerability arises from an unsafe handling of arguments when yt-dlp is launched from a command prompt on Windows. By default, the 'UseWindowsEncodingWorkaround' option is enabled, allowing the injection of malicious commands. Users utilizing built-in methods from the YoutubeDL.cs file cannot disable this option, leaving them vulnerable.

Impact

Exploitation of this vulnerability allows for command injection on Windows systems, where injected commands are executed alongside the yt-dlp process. This could lead to unauthorized execution of commands, potentially causing harm or disruption to the user's system.

Reproduction

To reproduce this vulnerability, use YoutubeDLSharp version 1.1.1 or lower on a Windows operating system. Call a built-in method from the YoutubeDL.cs file, such as 'RunVideoDataFetch', with a crafted URL that includes a command injection payload. The 'UseWindowsEncodingWorkaround' option, which is enabled by default, will cause the injected command to be executed when yt-dlp is run.

Remediation

Upgrade to YoutubeDLSharp version 1.1.2 or higher, where the vulnerability has been patched by removing the 'UseWindowsEncodingWorkaround' option. If using version 1.1.1 or lower, and the latest version is not an option, manually sanitize inputs to remove any potentially malicious content before passing them to yt-dlp.