Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-69195

CVE-2025-69195: GNU Wget2 Buffer Overflow Vulnerability

CVE-2025-69195 is a stack-based buffer overflow flaw in GNU Wget2's filename sanitization logic that allows remote attackers to cause memory corruption via crafted URLs. This article covers the technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2025-69195 Overview

CVE-2025-69195 is a stack-based buffer overflow [CWE-121] in GNU Wget2, the successor to the widely used wget download utility. The flaw resides in the filename sanitization logic that processes attacker-controlled URL paths when filename restriction options are active. A remote attacker can craft a malicious URL that, once a user interacts with wget2, triggers memory corruption on the stack. Successful exploitation can crash the process and may enable arbitrary code execution within the user's context.

Critical Impact

A specially crafted URL processed by wget2 can corrupt the stack, leading to denial of service or potential arbitrary code execution with the privileges of the invoking user.

Affected Products

  • GNU Wget2 (all versions prior to the upstream fix)
  • Linux distributions packaging vulnerable wget2 builds
  • Automation and CI pipelines invoking wget2 against untrusted URLs

Discovery Timeline

  • 2026-01-09 - CVE-2025-69195 published to the National Vulnerability Database (NVD)
  • 2026-03-05 - Last updated in NVD database

Technical Details for CVE-2025-69195

Vulnerability Analysis

The vulnerability lives in the filename sanitization routine that wget2 invokes when saving remote resources to disk. When filename restriction options such as --restrict-file-names are active, the routine rewrites characters from the URL path into a fixed-size stack buffer. An attacker-controlled URL with a crafted path length or character distribution causes the sanitizer to write past the buffer boundary.

Because the overflow occurs on the stack, adjacent saved registers, frame pointers, and return addresses can be overwritten. The result is process termination at minimum and, depending on compiler hardening flags and platform mitigations, control-flow hijack at worst. User interaction is required: a victim must run wget2 against the attacker-supplied URL.

Root Cause

The root cause is missing or insufficient bounds checking in the filename sanitization function. The code assumes the transformed filename fits within a statically sized stack buffer. It does not validate the length of the path component extracted from the URL before performing character substitutions and copies, which is the classic [CWE-121] pattern.

Attack Vector

Exploitation occurs over the network with low complexity and no privileges. The attacker hosts a resource at a URL with a malicious path, then lures a user or automated job into fetching it with wget2. Common delivery channels include phishing links, compromised mirrors, malicious redirects, and tampered package metadata that references attacker URLs.

No verified public exploit or proof-of-concept code is available at this time. Refer to the Red Hat CVE Advisory and Red Hat Bug Report #2425770 for upstream tracking details.

Detection Methods for CVE-2025-69195

Indicators of Compromise

  • Crash dumps or segmentation faults originating from wget2 processes, especially when invoked with --restrict-file-names or related sanitization flags.
  • Unusual outbound HTTP/HTTPS requests from automation accounts to URLs containing abnormally long or character-dense path components.
  • Unexpected child processes spawned by wget2 or its parent shell shortly after a download attempt.

Detection Strategies

  • Hunt process telemetry for wget2 exits with non-zero or signal-based termination codes correlated with recent URL fetches.
  • Inspect proxy and DNS logs for fetches against newly registered or low-reputation domains delivered via scripts or scheduled jobs.
  • Apply file integrity monitoring to directories used as wget2 output targets to flag anomalous filenames.

Monitoring Recommendations

  • Enable core dump collection on Linux build and download hosts to capture stack overflow evidence for analysis.
  • Forward shell, cron, and CI execution logs to a central data lake for correlation with network egress events.
  • Alert on wget2 invocations that pass user-controlled URLs from web forms, ticketing systems, or untrusted feeds.

How to Mitigate CVE-2025-69195

Immediate Actions Required

  • Inventory hosts and container images that ship wget2 and identify versions in use with wget2 --version.
  • Upgrade wget2 to the fixed package version supplied by your Linux distribution as soon as it is released.
  • Restrict use of wget2 against untrusted URLs in interactive sessions, scripts, and CI pipelines until patches are applied.

Patch Information

Monitor the Red Hat CVE Advisory and your distribution's security feed for fixed wget2 package versions. Apply vendor updates through standard package management once available, and rebuild any container images that bundle wget2.

Workarounds

  • Substitute curl or the legacy wget binary for download tasks against untrusted URLs until wget2 is patched.
  • Avoid passing the --restrict-file-names option when fetching from sources that cannot be validated, since the flaw is reached through that sanitization path.
  • Run wget2 under a low-privilege service account with filesystem and network egress restrictions enforced via AppArmor, SELinux, or seccomp.
bash
# Configuration example: confirm installed version and constrain wget2 execution
wget2 --version | head -n 1

# Block wget2 from reaching arbitrary external hosts via egress firewall (example: nftables)
nft add rule inet filter output meta skuid wget2user ip daddr != 10.0.0.0/8 drop

# Run wget2 inside a restrictive systemd-run sandbox
systemd-run --uid=nobody --property=NoNewPrivileges=yes \
  --property=ProtectSystem=strict --property=ProtectHome=yes \
  wget2 https://trusted.example.com/file

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.