Server-Side Request Forgery (SSRF) in athlon1600/youtube-downloader


Reported on

Mar 2nd 2022


youtube-downloader takes an URL from the url query parameter, passes it directly to curl and streams the response to the browser. This makes it vulnerable to an SSRF attack if someone passes an URL containing an internal hostname, as it will stream internal resources to the browser.

Proof of Concept

GET /youtube-downloader/public/stream.php?url=http://localhost/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: localhost
User-Agent: HTTPie/2.4.0


On a publicly accessible instance of youtube-downloader, this vulnerability can allow an attacker to retrieve sensitive information hosted on the internal network.

We are processing your report and will contact the athlon1600/youtube-downloader team within 24 hours. 2 years ago
We created a GitHub Issue asking the maintainers to create a 2 years ago
We have contacted a member of the athlon1600/youtube-downloader team and are waiting to hear back 2 years ago
We have sent a follow up to the athlon1600/youtube-downloader team. We will try again in 7 days. 2 years ago
athlon1600 validated this vulnerability 2 years ago
Pierre Rudloff has been awarded the disclosure bounty
The fix bounty is now up for grabs
athlon1600 marked this as fixed in v3.1.1 with commit 6ffe82 2 years ago
athlon1600 has been awarded the fix bounty
This vulnerability will not receive a CVE
Pierre Rudloff
a year ago


I don't think this is properly fixed, stream.php can still be used to fetch an internal resource. It should probably only allow requests to specific domains.

to join this conversation