CVE-2023-35934 (fedora, youtube-dl, youtube-dlc, yt-dlp)

yt-dlp is a command-line program to download videos from video sites. During file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest's host. This vulnerable behavior is present in yt-dlp prior to 2023.07.06 and nightly 2023.07.06.185519. All native and external downloaders are affected, except for `curl` and `httpie` (version 3.1.0 or later).

At the file download …

command cookies cve dlp download downloads external fedora file fragments host http leak manifest may program redirects video videos vulnerable youtube