Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 917355 (CVE-2023-46121)

Summary: <net-misc/yt-dlp-2023.11.14 Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection (CVE-2023-46121)
Product: Gentoo Security Reporter: Ionen Wolkens <ionen>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: gentoo, ionen
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa?]
Package list:
Runtime testing required: ---

Description Ionen Wolkens gentoo-dev 2023-11-14 23:35:43 UTC
Fixed version already in-tree, pending stable+cleanup.

The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases.
Comment 1 Larry the Git Cow gentoo-dev 2023-11-20 05:12:08 UTC
The bug has been referenced in the following commit(s):

commit 0523a83f97c3adc1eb9f9ec52a067f4619987593
Author:     Ionen Wolkens <>
AuthorDate: 2023-11-20 05:10:18 +0000
Commit:     Ionen Wolkens <>
CommitDate: 2023-11-20 05:10:21 +0000

    net-misc/yt-dlp: drop vulnerable 2023.10.13
    Signed-off-by: Ionen Wolkens <>

 net-misc/yt-dlp/Manifest                 |  1 -
 net-misc/yt-dlp/yt-dlp-2023.10.13.ebuild | 71 --------------------------------
 2 files changed, 72 deletions(-)

commit f2b752c52071b8b4972d27fb468960cad9b1bf79
Author:     Ionen Wolkens <>
AuthorDate: 2023-11-20 05:09:14 +0000
Commit:     Ionen Wolkens <>
CommitDate: 2023-11-20 05:09:51 +0000

    net-misc/yt-dlp: stabilize 2023.11.16 ALLARCHES (amd64)
    Signed-off-by: Ionen Wolkens <>

 net-misc/yt-dlp/yt-dlp-2023.11.16.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)