CVE-2023-35934: 
Python vulnerability analysis and mitigation

CVE-2023-35934 affects yt-dlp, a command-line program for downloading videos from various online platforms. The vulnerability was discovered in July 2023 and affects all versions prior to 2023.07.06 and nightly builds before 2023.07.06.185519. The issue also impacts related projects youtube-dl (since version 2015.01.25) and youtube-dlc (GHSA Advisory).

During file downloads, yt-dlp or its external downloaders may leak cookies on HTTP redirects to different hosts, or when download fragment hosts differ from their parent manifest's host. At the file download stage, cookies are passed as a Cookie header without proper scoping, allowing the downloader to send cookies indiscriminately to unintended domains or paths. The vulnerability has a CVSS v3.1 base score of 8.2 HIGH (NIST) and 6.1 MEDIUM (GitHub) (NVD).

An attacker could potentially craft a malicious website with an embedded URL designed to be detected by yt-dlp as a video download. When this URL redirects to an attacker-controlled server, yt-dlp would forward the user's sensitive cookie information, potentially exposing authentication tokens or other sensitive data (GHSA Advisory).

The issue is fixed in yt-dlp version 2023.07.06 and nightly build 2023.07.06.185519. The fix includes removing Cookie headers upon HTTP redirects, implementing proper cookie scoping, and improving how cookies are handled by external downloaders. For users unable to upgrade, workarounds include: avoiding cookie usage and authentication methods, using curl as the external downloader, avoiding fragmented formats like HLS/m3u8 and DASH/mpd, or verifying download links' integrity before use (GHSA Advisory).