GNU Wget2 Hit by Critical Path Traversal Vulnerability (CVE-2025-69194) Leading to Arbitrary File Overwrite

Critical Flaw in GNU Wget2 Allows Arbitrary File Overwrites

HIGH
January 4, 2026
4m read
VulnerabilityPatch ManagementOther

Related Entities

Organizations

GNU Project

Products & Tech

GNU Wget2

CVE Identifiers

CVE-2025-69194
CRITICAL
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1204.002Execution

Malicious File

T1059.004Execution

Unix Shell

T1574.006Persistence

Dynamic Linker Hijacking

Full Report

Executive Summary

A critical path traversal vulnerability, CVE-2025-69194, has been identified in GNU Wget2, the next-generation version of the widely used Wget command-line downloader. The flaw allows a malicious remote server to control where a downloaded file is saved on the client's filesystem. This can be abused to overwrite arbitrary files, including critical system files, user profiles, or SSH authorized_keys, which could lead to a full system compromise. Given that Wget2 is often used in automated scripts, build pipelines, and container images, this vulnerability poses a significant threat to a wide range of systems and automated processes.

Vulnerability Details

  • CVE ID: CVE-2025-69194
  • CVSS Score: Not yet assigned (as of Jan 4, 2026), but expected to be High or Critical.
  • Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The vulnerability occurs because Wget2 fails to properly sanitize file paths provided in the server's response (e.g., in the Content-Disposition header or as part of a URL redirect). An attacker can craft a response containing path traversal sequences (e.g., ../..). A vulnerable Wget2 client would interpret this path and write the downloaded file outside of the intended destination directory. For example, an attacker could trick Wget2 into overwriting /home/user/.bashrc to execute commands on the user's next login, or overwrite /etc/shadow to cause a denial of service.

Affected Systems

  • Product: GNU Wget2
  • Affected Versions: Specific vulnerable versions have not been detailed in the source articles, but users of Wget2 should assume they are affected until they can update to a patched version.

Exploitation Status

The vulnerability was disclosed on the oss-security mailing list. There is no evidence of active exploitation in the wild at this time. However, the simplicity of the exploit means that threat actors are likely to start incorporating it into their toolkits, especially for targeting automated systems like CI/CD pipelines that use Wget2 to fetch dependencies.

Impact Assessment

The impact of this vulnerability can range from moderate to critical, depending on the privileges of the user running Wget2 and the file that is overwritten.

  • Remote Code Execution: The most severe impact. An attacker could overwrite a user's .bashrc, .profile, or a cron job to execute arbitrary code.
  • Data Loss: Overwriting critical data files could lead to permanent data loss.
  • Denial of Service: Overwriting essential system files like /etc/passwd could render the system unusable.
  • Security Control Bypass: Overwriting a file like /home/user/.ssh/authorized_keys could allow an attacker to gain SSH access to the system.

Cyber Observables for Detection

Detection is best performed by analyzing server responses and filesystem activity.

Type
network_traffic_pattern
Value
HTTP responses with Content-Disposition headers containing ../ sequences
Description
This is a direct indicator of a path traversal attempt.
Context
Web proxy logs, IDS/IPS
Confidence
high
Type
file_name
Value
Files being written to unexpected locations by a wget2 process
Description
For example, wget2 writing to /etc/ or /home/user/.ssh/.
Context
File Integrity Monitoring (FIM), EDR logs
Confidence
high
Type
command_line_pattern
Value
wget2 commands downloading from untrusted URLs
Description
Scrutinize automated scripts that use wget2 to download from non-vetted sources.
Context
Script analysis, command-line logging
Confidence
medium

Detection Methods

  • File Integrity Monitoring (FIM): Use FIM tools like AIDE or Wazuh to monitor for unexpected changes to critical system files and user configuration files.
  • Network-Level Inspection: Configure IDS/IPS systems to inspect HTTP traffic for malicious Content-Disposition headers containing path traversal characters.
  • Dependency Scanning: Use software composition analysis (SCA) tools to identify all instances of GNU Wget2 in your environment, including in container images and build scripts, and check if they are a vulnerable version.

Remediation Steps

  1. Update GNU Wget2: The primary remediation is to update to a patched version of GNU Wget2 as soon as it becomes available from your operating system's package manager or the official GNU project.
  2. Audit Automated Scripts: Review all scripts and automated processes that use wget2. Ensure that they are only downloading files from trusted, well-vetted URLs.
  3. Run as Low-Privilege User: As a general best practice, ensure that automated scripts using tools like wget2 run as a dedicated, low-privilege user. This will limit the potential damage of an arbitrary file write, preventing the overwrite of critical system files.

Timeline of Events

1
January 4, 2026
This article was published

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

Update to a patched version of GNU Wget2 to remediate the path traversal flaw.

Privileged Account Management

M1026enterprise

Run processes that use Wget2 with the lowest possible privileges to limit the impact of a file overwrite.

Application Isolation and Sandboxing

M1048enterprise

Run Wget2 within a container or sandbox with a restricted, read-only filesystem to prevent it from writing to sensitive host locations.

Sources & References

Critical GNU Wget2 Vulnerability Let Remote Attackers to Overwrite Sensitive Files
SIEMBiot (siembiot.com) January 3, 2026
[oss-security] GNU Wget2: CVE-2025-69194: Arbitrary file write
Openwall (openwall.com) January 3, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

VulnerabilityPath TraversalArbitrary File WriteGNUWget2Open Source

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.