A crucial safety vulnerability has been found in GNU Wget2, a extensively used command-line device for downloading information from the net.
`The flaw, tracked as CVE-2025-69194, permits distant attackers to overwrite arbitrary information on a sufferer’s system, doubtlessly resulting in knowledge loss or full system compromise.
The vulnerability stems from improper validation of file paths in Metalink paperwork processed by Wget2. Metalink is a format that describes obtain areas and file checksums.
Attackers can craft malicious Metalink information containing path traversal sequences that trick Wget2 into writing information to unintended areas on the filesystem.
When a person downloads and processes a weaponized Metalink doc, the applying fails to sanitize the file paths within the metadata appropriately.
FieldDetailsCVE IDCVE-2025-69194SeverityImportant / HighCVSS Score8.8WeaknessCWE-22: Path Traversal
This permits an attacker to specify arbitrary areas the place information needs to be written, restricted solely by the permissions of the person working wget2.
Based on the Widespread Weak spot Enumeration (CWE-22), this path traversal flaw can have a number of extreme penalties.
Attackers could overwrite crucial system information, applications, or libraries used for code execution. They may modify safety configuration information to bypass authentication mechanisms or create backdoor accounts.
In some situations, attackers could learn delicate information by directing wget2 to repeat them to accessible areas. Purple Hat has categorized this vulnerability as of Necessary severity.
Noting that whereas it requires person interplay to course of the malicious Metalink file, exploitation can realistically result in native code execution or knowledge corruption.
The vulnerability may also trigger denial-of-service assaults by corrupting or deleting important system information. Presently, no full mitigation is accessible that meets enterprise deployment requirements.
Customers ought to keep away from processing Metalink information from untrusted sources and monitor for safety updates from the GNU Wget2 undertaking.
Organizations ought to assess their publicity and implement network-level controls to restrict potential exploitation till patches turn into extensively out there.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
