CVE-2024-22423: 
Python vulnerability analysis and mitigation

CVE-2024-22423 affects yt-dlp, a youtube-dl fork with additional features and fixes. The vulnerability was discovered in the --exec command functionality when using %q on Windows systems, allowing for potential remote code execution through command injection. The issue was introduced in version 2021.04.11 and was patched in version 2024.04.09. This vulnerability is a bypass of the previous fix for CVE-2023-40581 (CERT VU#123335, GitHub Advisory).

The vulnerability stems from insufficient escaping of special characters in the shell escape function. The previous patch for CVE-2023-40581 attempted to prevent RCE by replacing double quotes with two double quotes, but this escaping mechanism was not sufficient and still allowed for environment variable expansion. The vulnerability has a CVSS v3.1 score of 8.3 (High), with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H (GitHub Advisory).

Successful exploitation of this vulnerability allows attackers to execute arbitrary commands on Windows systems when using the --exec command with %q output template expansion. The impact is particularly severe when processing untrusted input through the command execution functionality (CERT VU#123335).

The primary mitigation is to upgrade to yt-dlp version 2024.04.09 which properly escapes % by replacing it with %%cd:~,%. For users unable to upgrade, several workarounds are available: avoid using output template expansion in --exec other than {} (filepath), verify fields don't contain %, ", | or & if expansion is needed, or use info json instead of --exec. Additionally, users should exercise caution when using --exec with untrusted input (GitHub Advisory).