GHSA-3v33-3wmw-3785: 
Python vulnerability analysis and mitigation

A low severity vulnerability was discovered in yt-dlp (versions 2023.09.24 to 2024.07.02) where its DouyuTV and DouyuShow extractors utilized cdn.bootcdn.net as a fallback source for the crypto-js JavaScript library. The vulnerability was disclosed on July 7, 2024, and patched in version 2024.07.07. This CDN was identified to be controlled by the same malicious actor responsible for the Polyfill JS supply chain attack (GitHub Advisory).

The vulnerability stems from the Douyu extractors' dependency on external JavaScript code execution through PhantomJS. When processing Douyu-related URLs, the system would attempt to fetch the crypto-js library first from cdnjs.cloudflare.com, and if unavailable, fall back to cdn.bootcdn.net. The code would then be executed externally using PhantomJS, potentially exposing users to malicious JavaScript code (GitHub Commit).

The vulnerability's exploitation potential requires three specific conditions to be met simultaneously: the user must have PhantomJS installed, must be processing a douyu.com or douyutv.com URL, and cdnjs.cloudflare.com must be unavailable (forcing the use of the malicious CDN fallback). While no direct exploits have been reported, the potential exists for malicious JavaScript code to be downloaded/cached by yt-dlp or executed by PhantomJS (GitHub Advisory).

Users are strongly advised to upgrade to yt-dlp version 2024.07.07, which removes the malicious CDN URL and invalidates any existing Douyu extractor cache data. For users unable to upgrade immediately, two workarounds are available: avoid using the Douyu extractors (--ies default,-douyutv,-douyushow) and uninstall or avoid installing PhantomJS (GitHub Advisory).