CVE-2025-69194

Wget2 Metalink Path Traversal: Downloading Your Way to RCE

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 16, 2026·5 min read·0 visits

Executive Summary (TL;DR)

Wget2 trusted Metalink filenames implicitly. If you download a malicious '.metalink' file with version <= 2.2.0, it can traverse directories (e.g., '../../') and overwrite sensitive files like SSH keys or shell configs. Fixed in version 2.2.1.

GNU Wget2 contains a critical path traversal vulnerability within its Metalink parsing logic. By constructing a malicious Metalink XML file, an attacker can trick the client into writing files anywhere on the filesystem, leading to potential RCE.

Official Patches

GitLab (GNU Wget2)Official fix commit
Red HatRed Hat Bugzilla Report

Fix Analysis (1)

Technical Appendix

CVSS Score
8.8/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Probability
4.00%
Top 99% most exploited

Affected Systems

GNU Wget2 <= 2.2.0

Affected Versions Detail

Product
Affected Versions
Fixed Version
GNU Wget2
GNU
<= 2.2.02.2.1
AttributeDetail
CWE IDCWE-22 (Path Traversal)
CVSS v3.18.8 (High)
Attack VectorNetwork / User Interaction
ImpactArbitrary File Write / RCE
Commit684be478
StatusPatched (v2.2.1)

MITRE ATT&CK Mapping

T1204User Execution
Execution
T1059Command and Scripting Interpreter
Execution
T1566Phishing
Initial Access
CWE-22
Path Traversal

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Known Exploits & Detection

GitHubPython script generating malicious Metalink files for testing file overwrite.
NucleiDetection Template Available

Vulnerability Timeline

Fix committed to repository
2025-12-26
Reported to Red Hat
2025-12-29
CVE Published
2026-01-09

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.