Executive Summary

A critical path traversal vulnerability, CVE-2025-69194, has been identified in GNU Wget2, the next-generation version of the widely used Wget command-line downloader. The flaw allows a malicious remote server to control where a downloaded file is saved on the client's filesystem. This can be abused to overwrite arbitrary files, including critical system files, user profiles, or SSH authorized_keys, which could lead to a full system compromise. Given that Wget2 is often used in automated scripts, build pipelines, and container images, this vulnerability poses a significant threat to a wide range of systems and automated processes.

Vulnerability Details

• CVE ID: CVE-2025-69194
• CVSS Score: Not yet assigned (as of Jan 4, 2026), but expected to be High or Critical.
• Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The vulnerability occurs because Wget2 fails to properly sanitize file paths provided in the server's response (e.g., in the Content-Disposition header or as part of a URL redirect). An attacker can craft a response containing path traversal sequences (e.g., ../..). A vulnerable Wget2 client would interpret this path and write the downloaded file outside of the intended destination directory. For example, an attacker could trick Wget2 into overwriting /home/user/.bashrc to execute commands on the user's next login, or overwrite /etc/shadow to cause a denial of service.

Affected Systems

• Product: GNU Wget2
• Affected Versions: Specific vulnerable versions have not been detailed in the source articles, but users of Wget2 should assume they are affected until they can update to a patched version.

Exploitation Status

The vulnerability was disclosed on the oss-security mailing list. There is no evidence of active exploitation in the wild at this time. However, the simplicity of the exploit means that threat actors are likely to start incorporating it into their toolkits, especially for targeting automated systems like CI/CD pipelines that use Wget2 to fetch dependencies.

Impact Assessment

The impact of this vulnerability can range from moderate to critical, depending on the privileges of the user running Wget2 and the file that is overwritten.

• Remote Code Execution: The most severe impact. An attacker could overwrite a user's .bashrc, .profile, or a cron job to execute arbitrary code.
• Data Loss: Overwriting critical data files could lead to permanent data loss.
• Denial of Service: Overwriting essential system files like /etc/passwd could render the system unusable.
• Security Control Bypass: Overwriting a file like /home/user/.ssh/authorized_keys could allow an attacker to gain SSH access to the system.

Cyber Observables for Detection

Detection is best performed by analyzing server responses and filesystem activity.

Detection Methods

• File Integrity Monitoring (FIM): Use FIM tools like AIDE or Wazuh to monitor for unexpected changes to critical system files and user configuration files.
• Network-Level Inspection: Configure IDS/IPS systems to inspect HTTP traffic for malicious Content-Disposition headers containing path traversal characters.
• Dependency Scanning: Use software composition analysis (SCA) tools to identify all instances of GNU Wget2 in your environment, including in container images and build scripts, and check if they are a vulnerable version.

Remediation Steps

1. Update GNU Wget2: The primary remediation is to update to a patched version of GNU Wget2 as soon as it becomes available from your operating system's package manager or the official GNU project.
2. Audit Automated Scripts: Review all scripts and automated processes that use wget2. Ensure that they are only downloading files from trusted, well-vetted URLs.
3. Run as Low-Privilege User: As a general best practice, ensure that automated scripts using tools like wget2 run as a dedicated, low-privilege user. This will limit the potential damage of an arbitrary file write, preventing the overwrite of critical system files.