Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-69194

CVE-2025-69194: GNU Wget2 Path Traversal Vulnerability

CVE-2025-69194 is a path traversal flaw in GNU Wget2 affecting Metalink document handling. Attackers can write files to unintended locations, risking data loss. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-69194 Overview

A critical path traversal vulnerability has been discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink <file name> elements, allowing attackers to write files to arbitrary locations on the target system. This vulnerability can be exploited remotely without authentication, potentially leading to data loss, system compromise, or establishment of persistent access through malicious file placement.

Critical Impact

Attackers can exploit this path traversal flaw to write arbitrary files to unintended locations, enabling remote code execution scenarios, data destruction, or establishment of backdoor access by overwriting critical system or application files.

Affected Products

  • GNU Wget2 (all versions prior to patch)
  • Systems and applications utilizing Wget2 for automated file downloads
  • Linux distributions packaging vulnerable Wget2 versions

Discovery Timeline

  • 2026-01-09 - CVE-2025-69194 published to NVD
  • 2026-03-05 - Last updated in NVD database

Technical Details for CVE-2025-69194

Vulnerability Analysis

This vulnerability falls under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal or directory traversal. The flaw exists in GNU Wget2's Metalink document parser, which processes XML-based Metalink files used to describe downloadable resources with multiple mirrors and verification checksums.

When Wget2 processes a Metalink document, it reads the <file name> element to determine where the downloaded file should be saved. The application fails to adequately sanitize this filename value, allowing attackers to include directory traversal sequences (such as ../) that escape the intended download directory. This enables an attacker to specify arbitrary file paths on the target system.

The network-accessible nature of this vulnerability, combined with no authentication requirements and no user interaction needed, makes it particularly dangerous in automated download scenarios where Wget2 processes Metalink files from untrusted sources.

Root Cause

The root cause is insufficient input validation in the Metalink file parsing logic. When processing the <file name> element within Metalink documents, Wget2 does not properly sanitize or restrict path components before using them to construct the destination file path. The absence of checks for directory traversal sequences (../, absolute paths, or symbolic link references) allows attackers to control where files are written on the filesystem.

Attack Vector

The attack vector is network-based and can be executed remotely. An attacker crafts a malicious Metalink document containing path traversal sequences in the <file name> element. When a victim's Wget2 client processes this document—either through direct download or via an automated process—the attacker-controlled filename causes the downloaded content to be written outside the intended directory.

Attack scenarios include:

  • Hosting malicious Metalink files on attacker-controlled servers
  • Man-in-the-middle attacks modifying legitimate Metalink responses
  • Supply chain attacks through compromised mirror infrastructure
  • Overwriting configuration files (e.g., .bashrc, cron jobs) to achieve code execution
  • Writing SSH authorized_keys for persistent remote access
  • Corrupting or replacing application binaries

For detailed technical information about this vulnerability, see the Red Hat CVE-2025-69194 Advisory and Red Hat Bug Report #2425773.

Detection Methods for CVE-2025-69194

Indicators of Compromise

  • Unexpected file modifications in sensitive directories such as /etc/, ~/.ssh/, or application configuration paths
  • Files created outside of standard download directories by Wget2 processes
  • Metalink files containing ../ sequences or absolute paths in <file name> elements
  • Network traffic showing Metalink document downloads followed by anomalous file system activity

Detection Strategies

  • Monitor file system activity for Wget2 processes writing to locations outside designated download directories
  • Implement network inspection rules to detect Metalink documents with suspicious path patterns in <file name> elements
  • Deploy endpoint detection rules that alert on directory traversal patterns in command-line arguments and file operations
  • Audit automated scripts and CI/CD pipelines that utilize Wget2 for potential exposure to untrusted Metalink sources

Monitoring Recommendations

  • Enable verbose logging for Wget2 operations to capture destination file paths
  • Implement file integrity monitoring (FIM) on critical system directories
  • Monitor for creation or modification of files in sensitive locations by non-standard processes
  • Review Wget2 usage patterns across systems to identify potential exposure points

How to Mitigate CVE-2025-69194

Immediate Actions Required

  • Update GNU Wget2 to the latest patched version as soon as vendor updates are available
  • Review and restrict Metalink file processing to trusted sources only
  • Implement network-level filtering to block Metalink files from untrusted origins
  • Audit systems for signs of exploitation, particularly unauthorized file modifications
  • Consider temporarily disabling Metalink support if not operationally required

Patch Information

Organizations should monitor the GNU Wget2 project and their Linux distribution's security advisories for official patches. Red Hat has published tracking information via Red Hat CVE-2025-69194 Advisory. Apply vendor-supplied patches immediately upon availability and verify the integrity of the update before deployment.

Workarounds

  • Disable Metalink processing in Wget2 configurations where this feature is not required
  • Run Wget2 in sandboxed or containerized environments with restricted filesystem access
  • Implement application-level firewalls to inspect and filter Metalink content before processing
  • Use file system permissions to limit Wget2's write access to designated directories only
  • Consider using alternative download tools that properly validate Metalink file paths until a patch is applied
bash
# Configuration example - Restrict Wget2 to specific download directory
# Run wget2 with restricted directory permissions
mkdir -p /var/downloads/wget2
chmod 755 /var/downloads/wget2
# Use container isolation for wget2 operations
# podman run --rm -v /var/downloads/wget2:/downloads:Z wget2-container wget2 --metalink=file.meta -P /downloads

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.