CVE-2025-69194

Name of the Vulnerable Software and Affected Versions GNU Wget2 (affected versions not specified)

Description GNU Wget2 contains a path traversal flaw when processing Metalink documents. The application does not properly validate file paths within the <file name> elements of Metalink v3/v4 documents. This allows an attacker to craft malicious Metalink files containing traversal sequences (like ../../) or absolute paths, forcing Wget2 to write files to unintended locations. This can lead to data loss, arbitrary file overwrite, or potentially remote code execution if an attacker overwrites user configuration files. The vulnerability is remotely exploitable and requires no authentication, relying on a user downloading a malicious Metalink file. The affected component is the Metalink Handler.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.