yt-dlp: Arbitrary Command Injection when using the `--netrc-cmd` option
Description
yt-dlp is a command-line audio/video downloader. Starting in version 2023.06.21 and prior to version 2026.02.21, when yt-dlp's --netrc-cmd command-line option (or netrc_cmd Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL. yt-dlp maintainers assume the impact of this vulnerability to be high for anyone who uses --netrc-cmd in their command/configuration or netrc_cmd in their Python scripts. Even though the maliciously crafted URL itself will look very suspicious to many users, it would be trivial for a maliciously crafted webpage with an inconspicuous URL to covertly exploit this vulnerability via HTTP redirect. Users without --netrc-cmd in their arguments or netrc_cmd in their scripts are unaffected. No evidence has been found of this exploit being used in the wild. yt-dlp version 2026.02.21 fixes this issue by validating all netrc "machine" values and raising an error upon unexpected input. As a workaround, users who are unable to upgrade should avoid using the --netrc-cmd command-line option (or netrc_cmd Python API parameter), or they should at least not pass a placeholder ({}) in their --netrc-cmd argument.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yt-dlpPyPI | >= 2023.06.21, < 2026.02.21 | 2026.02.21 |
Affected products
2- yt-dlp/yt-dlpv5Range: >= 2023.06.21, < 2026.02.21
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-g3gw-q23r-pgqmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-26331ghsaADVISORY
- github.com/yt-dlp/yt-dlp/commit/1fbbe29b99dc61375bf6d786f824d9fcf6ea9c1aghsax_refsource_MISCWEB
- github.com/yt-dlp/yt-dlp/releases/tag/2026.02.21ghsax_refsource_MISCWEB
- github.com/yt-dlp/yt-dlp/security/advisories/GHSA-g3gw-q23r-pgqmghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.