A serious vulnerability has been discovered in the popular GNU command-line downloader Wget2 , which allows attackers to overwrite files on the victim’s computer without their knowledge or consent.
The issue has been identified with the identifier CVE-2025-69194 and has a high severity rating of 8.8 according to CVSS, which means it should not be ignored.
The vulnerability is related to the processing of Metalink files, special documents that describe multiple sources for downloading the same file ( mirrors, P2P, and so on). In theory, Wget2 should strictly control where the downloaded data is stored.
However, as Apache researchers discovered, this presents some practical problems. Due to a path validation error, an attacker can create a malicious Metalink file with deceptive names like ../. This is a classic path traversal vulnerability that allows an attacker to traverse the working directory and write a file to virtually any location on the system.
Simply processing such a Metalink is enough for the user to proceed without their intervention. The consequences could be quite serious.
In the worst case, an attacker could: overwrite important system or user files and cause data loss; replace configurations or scripts and execute malicious code; modify security settings or authentication files, creating a backdoor.
The attack requires interacting with a malicious file, but given the consequences, the risk seems more than real, especially for those who regularly use Wget2 in automated scripts or CI/CD pipelines.
If you work with Wget2 and Metalink , it’s time to pay attention to your download sources and keep an eye on updates. A neglected file can cost you dearly.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
