Summary
If curl is used an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's.
This is the equivalent to GHSA-v8mc-9377-rwjj for the curl downloader. The vulnerable behavior is present in yt-dlp released since 2023.09.24.
Details
At the file download stage, the cookies are passed by yt-dlp to the file downloader via --cookie. However, unless these are loaded from a file, this operation does not activate the cookie engine. As a result, curl will send cookies with requests to domains or paths for which the cookies are not scoped.
An example of a potential attack scenario exploiting this vulnerability:
- an attacker has crafted a malicious website with an embedded URL designed to be detected by yt-dlp as a video download. This embedded URL has the domain of a trusted site that the user has loaded cookies for, and conducts an unvalidated redirect to a target URL.
- yt-dlp extracts this URL and calculates the cookies which are then passed to
curl.
- the download URL redirects to a server controlled by the attacker, to which
curl forwards the user's sensitive cookie information.
Patches
yt-dlp version 2026.06.09 fixes this issue by doing the following:
- Pass the cookies through stdin via
--cookie - if curl is version 7.59 or higher.
- Pass the cookies via
--cookie /dev/fd/0 if the system supports this device file.
- In all other cases create a temporary file, save the cookies and then pass via
--cookie <file>.
Workarounds
It is recommended to upgrade yt-dlp to version 2026.06.09 as soon as possible.
For users who are not able to upgrade:
- Do not use
--downloader curl.
References
Summary
If curl is used an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's.
This is the equivalent to GHSA-v8mc-9377-rwjj for the
curldownloader. The vulnerable behavior is present in yt-dlp released since 2023.09.24.Details
At the file download stage, the cookies are passed by yt-dlp to the file downloader via
--cookie. However, unless these are loaded from a file, this operation does not activate the cookie engine. As a result,curlwill send cookies with requests to domains or paths for which the cookies are not scoped.An example of a potential attack scenario exploiting this vulnerability:
curl.curlforwards the user's sensitive cookie information.Patches
yt-dlp version 2026.06.09 fixes this issue by doing the following:
--cookie -ifcurlis version 7.59 or higher.--cookie /dev/fd/0if the system supports this device file.--cookie <file>.Workarounds
It is recommended to upgrade yt-dlp to version 2026.06.09 as soon as possible.
For users who are not able to upgrade:
--downloader curl.References