CVE-2025-69195

NameCVE-2025-69195
DescriptionA flaw was found in GNU Wget2. This vulnerability, a stack-based buffer overflow, occurs in the filename sanitization logic when processing attacker-controlled URL paths, particularly when filename restriction options are active. A remote attacker can exploit this by providing a specially crafted URL, which, upon user interaction with wget2, can lead to memory corruption. This can cause the application to crash and potentially allow for further malicious activities.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1124377

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
wget2 (PTS)bookworm, bullseye1.99.1-2.2fixed
trixie2.2.0+ds-1vulnerable
forky, sid2.2.0+ds-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
wget2sourcebullseye(not affected)
wget2sourcebookworm(not affected)
wget2source(unstable)2.2.0+ds-31124377

Notes

[trixie] - wget2 <no-dsa> (Minor issue)
[bookworm] - wget2 <not-affected> (Vulnerable code introduced later)
[bullseye] - wget2 <not-affected> (Vulnerable code introduced later)
Introduced with: https://gitlab.com/gnuwget/wget2/-/commit/3dc30f5f0c6f8feae97f866c537324f821ea05d6 (v2.1.0)
Fixed by: https://gitlab.com/gnuwget/wget2/-/commit/fc7fcbc00e0a2c8606d44ab216195afb3f08cc98 (v2.2.1)
Search for package or bug name: Reporting problems