Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 917355 (CVE-2023-46121) - <net-misc/yt-dlp-2023.11.14 Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection (CVE-2023-46121)
Summary: <net-misc/yt-dlp-2023.11.14 Generic Extractor MITM Vulnerability via Arbitrar...
Alias: CVE-2023-46121
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa?]
Depends on:
Reported: 2023-11-14 23:35 UTC by Ionen Wolkens
Modified: 2024-01-20 16:23 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Ionen Wolkens gentoo-dev 2023-11-14 23:35:43 UTC
Fixed version already in-tree, pending stable+cleanup.

The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases.
Comment 1 Larry the Git Cow gentoo-dev 2023-11-20 05:12:08 UTC
The bug has been referenced in the following commit(s):

commit 0523a83f97c3adc1eb9f9ec52a067f4619987593
Author:     Ionen Wolkens <>
AuthorDate: 2023-11-20 05:10:18 +0000
Commit:     Ionen Wolkens <>
CommitDate: 2023-11-20 05:10:21 +0000

    net-misc/yt-dlp: drop vulnerable 2023.10.13
    Signed-off-by: Ionen Wolkens <>

 net-misc/yt-dlp/Manifest                 |  1 -
 net-misc/yt-dlp/yt-dlp-2023.10.13.ebuild | 71 --------------------------------
 2 files changed, 72 deletions(-)

commit f2b752c52071b8b4972d27fb468960cad9b1bf79
Author:     Ionen Wolkens <>
AuthorDate: 2023-11-20 05:09:14 +0000
Commit:     Ionen Wolkens <>
CommitDate: 2023-11-20 05:09:51 +0000

    net-misc/yt-dlp: stabilize 2023.11.16 ALLARCHES (amd64)
    Signed-off-by: Ionen Wolkens <>

 net-misc/yt-dlp/yt-dlp-2023.11.16.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)