yt-dlp: Arbitrary Command Injection when using the `--netrc-cmd` option

yt-dlp is a command-line audio/video downloader. Starting in version 2023.06.21 and prior to version 2026.02.21, when yt-dlp's `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL. yt-dlp maintainers assume the impact of this vulnerability to be high for anyone who uses `--netrc-cmd` in their command/configuration or `netrc_cmd` in their Python scripts. Even though the maliciously crafted URL itself will look very suspicious to many users, it would be trivial for a maliciously crafted webpage with an inconspicuous URL to covertly exploit this vulnerability via HTTP redirect. Users without `--netrc-cmd` in their arguments or `netrc_cmd` in their scripts are unaffected. No evidence has been found of this exploit being used in the wild. yt-dlp version 2026.02.21 fixes this issue by validating all netrc "machine" values and raising an error upon unexpected input. As a workaround, users who are unable to upgrade should avoid using the `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter), or they should at least not pass a placeholder (`{}`) in their `--netrc-cmd` argument.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

yt-dlp 操作系统命令注入漏洞

yt-dlp是yt-dlp的基于现在不活动的youtube-dlc 的youtube-dl分支。 yt-dlp 2023.06.21版本至2026.02.21之前版本存在操作系统命令注入漏洞，该漏洞源于使用--netrc-cmd命令行选项时可能允许命令注入，可能导致攻击者在用户系统上执行任意命令。

N/A

N/A