CVE-2023-35934

Summary

The vulnerability with the CVE ID CVE-2023-35934 affects yt-dlp, a command-line program used for downloading videos from video sites. It is present in versions prior to 2023.07.06 and nightly 2023.07.06.185519. This vulnerability allows cookies to be leaked during file downloads on HTTP redirects to a different host or when the host for download fragments differs from their parent manifest's host. All native and external downloaders are affected except for 'curl' and 'httpie' (version 3.1.0 or later). The cookies are passed as a 'Cookie' header at the file download stage, losing their scope and causing potential indiscriminate sending of cookies with requests to domains or paths for which they are not scoped. The issue is fixed in yt-dlp versions 2023.07.06 and nightly 2023.07.06.185519 by removing the 'Cookie' header upon HTTP redirects. This vulnerability poses a potential danger to organizations as it can lead to information exposure and compromise the confidentiality of sensitive data. (Note: The information above is a summary of the provided text and does not represent an actual vulnerability in any product.)

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.