Wget2: arbitrary file write via metalink path traversal in gnu...

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink <file name> elements. An attacker can abuse this behavior to write files to unintended locations on the system. This can lead to data loss or potentially allow further compromise of the user’s environment.

AI Analysis

Arbitrary file write via metalink path traversal vulnerability in GNU Wget2

Basic Information

ID CVE-2025-69194

Source fedora

Published Jan 9, 2026 at 07:53

Affected Product

Vendor GNU

Product GNU Wget2

Affected Versions 0

CWE Classification

CWE-22

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor GNU

Product Wget2

Version unknown

References

{
    "lastseen": "",
    "description": "A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink <file name> elements. An attacker can abuse this behavior to write files to unintended locations on the system. This can lead to data loss or potentially allow further compromise of the user\u2019s environment.",
    "published": "2026-01-09T07:53:48.144Z",
    "modified": "2026-01-09T07:53:48.144Z",
    "type": "cve",
    "title": "Wget2: arbitrary file write via metalink path traversal in gnu wget2",
    "source": "fedora",
    "references": "https://access.redhat.com/security/cve/CVE-2025-69194\nhttps://bugzilla.redhat.com/show_bug.cgi?id=2425773",
    "id": "CVE-2025-69194",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "  0",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "GNU Wget2",
    "version": "0",
    "vendor": "GNU",
    "ai_description": "Arbitrary file write via metalink path traversal vulnerability in GNU Wget2",
    "ai_severity": "High",
    "ai_vendor": "GNU",
    "ai_product": "Wget2",
    "ai_version": "unknown",
    "ai_score": 8.8
}

Wget2: arbitrary file write via metalink path traversal in gnu wget2_CVE-2025-69194