External risk intelligence

yt-dlp Arbitrary File Write Leading to Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-50574

yt-dlp is a local command-line utility used by individuals to download media. It is not a network service, gateway, or internet-facing appliance. Exposure requires a user to manually run the tool against malicious input, making it a client-side execution scenario rather than a public-facing network service.

Yt Dlp Project Yt Dlp

before 2026.06.09

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability affects the yt-dlp media downloading tool, specifically when using an external downloader like aria2c with certain stream formats. If exploited, it could allow for arbitrary file writes, potentially leading to code execution on user systems. The main concern at this stage is confirming if this tool is in use within the organization and, if so, identifying potential exposure.

  • Issue: Malicious input can cause arbitrary file writes.
  • Remember: Used for downloading videos, not a network service.
  • Takeaway: Confirm if this tool is used and assess relevance.

Attack Path

How an attacker could exploit the issue

An attacker could target users of yt-dlp by tricking them into downloading specially crafted video streams. When yt-dlp processes these streams using an external downloader like aria2c, it passes the input without sufficient checks. This allows an attacker to manipulate the process, potentially leading to the execution of arbitrary code on the user's system, especially on Windows.

  • Requires user to run yt-dlp.
  • Triggered by downloading malformed streams.
  • Risk of arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

yt-dlp, when using aria2c for fragmented manifests, could pass unsanitized input to the downloader, potentially allowing an attacker to write arbitrary files. This could lead to code execution on Windows, or on other platforms after the next yt-dlp invocation.

  • Arbitrary file writes may occur.
  • Input is passed to external downloader.
  • Code execution could result.

Operational Fix

Recommended remediation, mitigation, and detection steps

The yt-dlp project's command-line utility is impacted when using aria2c for fragmented manifest downloads. Responsibility likely lies with individual users or development teams running yt-dlp, as it's a client-side tool. The first step is to confirm if yt-dlp is in use, particularly with aria2c and HLS/DASH streams, and then plan for updates or risk reduction if confirmed.

  • Identify yt-dlp users and its configuration.
  • Verify aria2c usage with fragmented streams.
  • Update yt-dlp to the patched version.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is yt-dlp?

yt-dlp is a popular command-line utility designed for downloading audio and video content from various websites. It acts as a client-side tool that users run manually to capture media streams. The software supports advanced features by integrating with external tools, such as the aria2c downloader, to handle complex, fragmented media formats like HLS or DASH streams.

How does CVE-2026-50574 impact yt-dlp?

This vulnerability involves a weakness known as Improper Neutralization of Special Elements (CWE-74). When yt-dlp uses aria2c to process specific fragmented video manifests, it fails to properly sanitize the input. This oversight allows a specially crafted video stream to cause an arbitrary file write on the host system, which can subsequently lead to unauthorized code execution.

When does this vulnerability trigger?

The flaw triggers only when a user intentionally runs yt-dlp against a malicious stream while configured to use aria2c as an external downloader. It is not triggered by simply having the software installed or by browsing the web. If you do not use aria2c, or if you are downloading content from trusted, non-malicious sources, the specific conditions for this file write vulnerability are not met.

Is my system at risk?

Halo Surface Signal notes that this is a client-side execution scenario, not a network-facing service, making it very unlikely to be exposed to random internet attacks. Because the tool must be manually executed by a user against malicious input, the risk is primarily relevant to those who frequently use yt-dlp with aria2c to download media from untrusted or public websites.

How do I secure my environment against this?

The primary resolution is to update your installation of yt-dlp to version 2026.06.09 or newer, which contains the necessary security fixes. Before updating, you should verify whether your environment utilizes the aria2c integration for fragmented streams, as this configuration is the specific requirement for the vulnerability to exist.

References