Technologyglobal✓ verified · 90%

yt-dlp: File Downloader cookie leak with curl

Name: yt-dlp: File Downloader cookie leak with curl
Start: 2026-06-16T20:16:56Z
Location: Global (internet)

When: 2026-06-16 20:16 UTC
Where: Global (internet)
Category: cyber_advisory · pip

### Summary If curl is used an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's. This is the equivalent to [GHSA-v8mc-9377-rwjj](<https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj>) for the `curl` downloader. The vulnerable behavior is present in [yt-dlp](https://github.com/yt-dlp/yt-dlp) released since 2023.09.24. ### Details At the file download stage, the cookies are passed by yt-dlp to the file downloader via `--cookie`. However, unless these are loaded from a file, this operation does not activate the cookie engine. As a result, `curl` will send cookies with requests to domains or paths for which the cookies are not scoped. An example of a potential attack scenario exploiting this vulnerability: 1. an attacker has crafted a malicious website with an embedded URL designed to be detected by yt-dlp as a video download. This embedded URL has the domain of a trusted site that the user has loaded cookies for, and conducts an [unvalidated redirect](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html) to a target URL. 2. yt-dlp extracts this URL and calculates the cookies which are then passed to `curl`. 3. the download URL redirects to a server controlled by the attacker, to which `curl` forwards the user's sensitive cookie information. ### Patches yt-dlp version 2026.06.09 fixes this issue by doing the following: - Pass the cookies through stdin via `--cookie -` if `curl` is version 7.59 or higher. - Pass the cookies via `--cookie /dev/fd/0` if the system supports this device file. - In all other cases create a temporary file, save the cookies and then pass via `--cookie <file>`. ### Workarounds It is recommended to upgrade yt-dlp to version 2026.06.09 as soon as possible. For users who are not able to upgrade: - Do not use `--downloader curl`.

Sources

GitHub Advisory Database ↗ · first seen 2026-06-16 20:16 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

No correlated events found in the current window. As more events arrive, connections form automatically.

← Back to the live map