Bug 2425773 (CVE-2025-69194)

Summary: CVE-2025-69194 wget2: Arbitrary File Write via Metalink Path Traversal in GNU Wget2
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abhraj
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink <file name> elements. An attacker can abuse this behavior to write files to unintended locations on the system. This can lead to data loss or potentially allow further compromise of the user’s environment.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2425779, 2425780, 2425781, 2425782, 2425783    
Bug Blocks:    

Description OSIDB Bzimport 2025-12-29 14:15:14 UTC 
Path traversal vulnerability in the Metalink processing logic of GNU Wget2. The issue arises when wget2 trusts attacker-supplied <file name> values in Metalink v3/v4 documents without proper sanitization. By specifying traversal sequences or absolute paths, an attacker can cause wget2 to create, truncate, or overwrite arbitrary files writable by the victim user. The vulnerability is remotely exploitable, requires no authentication, and can lead to data loss or potential code execution by overwriting user-executed configuration or startup files.