yt-dlp Command Injection Vulnerability via --netrc-cmd Option

A command injection vulnerability has been identified in yt-dlp, a command-line tool for downloading audio and video. This issue affects versions 2023.06.21 prior to 2026.02.21. The vulnerability arises when the --netrc-cmd command-line option or the netrc_cmd Python API parameter is used. An attacker can exploit this by sending a maliciously crafted URL, leading to arbitrary command execution on the user's system. While the injected command execution would be visible in the output, the vulnerability could be exploited covertly through an HTTP redirect from a seemingly innocuous webpage. Users not utilizing the --netrc-cmd option or the netrc_cmd parameter in their scripts are not affected.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the user's system, with the potential for significant harm depending on the executed commands.

Reproduction

To reproduce this vulnerability, use yt-dlp with the --netrc-cmd option, replacing the placeholder with a crafted command that exploits the injection vulnerability. The command will be executed in the user's shell, allowing for arbitrary command execution.

Remediation

Users are advised to upgrade to yt-dlp version 2026.02.21 or later, which addresses the vulnerability by validating netrc 'machine' values and rejecting unexpected input. For those unable to upgrade, it is recommended to avoid using the --netrc-cmd option or the netrc_cmd parameter in Python scripts, or at least not to include a placeholder in the --netrc-cmd argument.