CVE-2023-46121: 
Python vulnerability analysis and mitigation

CVE-2023-46121 affects the Generic Extractor in yt-dlp, a youtube-dl fork with additional features and fixes. The vulnerability was discovered and disclosed on November 14, 2023, affecting versions from 2022.10.04 up to (excluding) 2023.11.14. The issue allows an attacker to set an arbitrary proxy for a request to an arbitrary URL, potentially leading to Man-in-the-Middle (MITM) attacks (NVD, GitHub Advisory).

The vulnerability stems from yt-dlp's URL smuggling mechanism, which is used to pass control data between extractors. The Generic Extractor supports receiving arbitrary HTTP headers in a smuggled URL, including internal headers like 'Ytdl-request-proxy' and 'Ytdl-socks-proxy'. A maliciously crafted site could include these smuggled options in a URL, allowing the Generic Extractor to extract and redirect to itself, thereby enabling an attacker to set an arbitrary proxy for any URL requested by yt-dlp. The vulnerability has been assigned a CVSS v3.1 base score of 5.0 MEDIUM by GitHub and 3.7 LOW by NVD (NVD).

The vulnerability could lead to cookie exfiltration in cases where users have loaded cookies into yt-dlp for target sites that aren't marked as secure. An attacker could potentially MITM requests made to any website and set cookies for arbitrary sites. However, the impact is somewhat limited as most modern websites use HTTPS and set cookies as secure (GitHub Advisory).

The vulnerability was patched in version 2023.11.14, which removed the ability to smuggle 'http_headers' to the Generic extractor and other extractors using the same pattern. Users are advised to upgrade to this version. Those unable to upgrade should disable the Generic extractor or only pass trusted sites with trusted content, and take caution when using '--no-check-certificate' (NVD, Release Notes).