CVSS 3.1 Score 3.7 of 10 (low)


Published Nov 15, 2023
Updated: Nov 22, 2023
CWE ID 444


CVE-2023-46121 is a vulnerability in yt-dlp, a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp allows an attacker to set an arbitrary proxy for a request to any URL, potentially enabling them to perform a Man-in-the-Middle (MITM) attack on the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in certain scenarios. The issue has been addressed in version 2023.11.14 by removing the ability to smuggle http_headers to the Generic Extractor and other extractors using the same pattern. Users are advised to upgrade their version of yt-dlp, and if unable to do so, they should disable the Generic Extractor or only pass trusted sites with trusted content and exercise caution when using --no-check-certificate. The vulnerability has a base severity rating of LOW, with a CVSS v3.1 base score of 3.7 out of 10.

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2023-46121 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options