Critical Wget2 Flaws Expose Users to Arbitrary File Overwrites and Memory Crashes

GNU Wget2, the modern successor to the ubiquitous command-line download tool, has been hit with a double whammy of security disclosures. Two newly identified vulnerabilities—one involving a treacherous path traversal and the other a stack-based buffer overflow—could allow remote attackers to overwrite sensitive files or crash systems simply by tricking a user into downloading a file.

The vulnerabilities, tracked as CVE-2025-69194 and CVE-2025-69195, target the core file handling logic of the tool, turning standard download operations into potential security breaches.

The first and perhaps most alarming flaw lies in how Wget2 processes Metalink files—XML documents used to list multiple mirrors for a download.

According to the vulnerability details, the issue is a classic Path Traversal bug. Wget2 blindly trusts the <file name> values provided inside Metalink v3/v4 documents without proper sanitization.

“The issue arises when wget2 trusts attacker-supplied <file name> values in Metalink v3/v4 documents without proper sanitization,” the report explains.

By crafting a malicious Metalink file containing traversal sequences (like ../../) or absolute paths, an attacker can force Wget2 to escape its download directory. This allows the tool to “create, truncate, or overwrite arbitrary files writable by the victim user.” The implications are severe: an attacker could overwrite a user’s startup configuration files (like .bashrc) to achieve remote code execution the next time the user logs in.

The second vulnerability strikes at the tool’s attempt to be safe. Wget2 includes options to sanitize filenames (e.g., –restrict-file-names=windows), ensuring downloaded files don’t contain illegal characters for the host OS. Paradoxically, this safety feature contains a Stack-based Buffer Overflow.

The flaw occurs when Wget2 processes “attacker-controlled URL paths” while these restriction options are enabled. The application attempts to write the sanitized name into a fixed 1024-byte stack buffer but fails to check if the data actually fits.

“A specially crafted URL path or HTTP redirect can trigger memory corruption, resulting in a crash or potentially enabling further exploitation,” the disclosure notes. This requires no authentication—only a user interaction to invoke Wget2 on a malicious link.

Both vulnerabilities are remotely exploitable and require no authentication, relying solely on a user performing a basic task: downloading a file.

• CVE-2025-69194 enables data loss and potential code execution.
• CVE-2025-69195 disrupts availability via crashes and opens the door to memory corruption exploits.

Users of GNU Wget2 are strongly advised to check for updates immediately, as these flaws turn a trusted utility into a liability.

Related Posts:

• iOS 26 Password App Gains Major Upgrade: View Full History of Saved Credentials
• LockBit 5.0 Resurfaces Stronger: New Variant Blinds Defenders by Disabling Windows ETW for Stealth Encryption
• Docker Compose Path Traversal (CVE-2025-62725) Allows Arbitrary File Overwrite via OCI Artifacts
• CVE-2025-64095: Critical CVSS 10.0 Flaw in DNN Platform Allows Unauthenticated Website Overwrite