python · yt-dlpHeads-up
yt-dlp Cookie Leak Fix for Curl Downloader
yt-dlp fixed a vulnerability where cookies could be leaked to unintended hosts when using curl as an external downloader.
What changed
yt-dlp fixed a vulnerability where cookies could be leaked to unintended hosts when using curl as an external downloader. The fix passes cookies via stdin or a temporary file to ensure proper scoping.
Who it affects
Users of yt-dlp who use curl as an external downloader (--downloader curl) and have not upgraded to version 2026.06.09.
What to do today
Upgrade yt-dlp to version 2026.06.09 or later. If unable to upgrade, avoid using --downloader curl.
The trail
Collected→
Audited→
Written→
Published
Source
GitHub Advisory · yt-dlp