Nixpkgs security tracker

Untriaged

Permalink CVE-2025-69194

8.8 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 3 months, 1 week ago

Wget2: arbitrary file write via metalink path traversal in gnu wget2

A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink <file name> elements. An attacker can abuse this behavior to write files to unintended locations on the system. This can lead to data loss or potentially allow further compromise of the user’s environment.

References

https://access.redhat.com/security/cve/CVE-2025-69194 vdb-entryx_refsource_REDHAT
RHBZ#2425773 issue-trackingx_refsource_REDHAT

Affected products

wget2

==2.2.1
=<2.2.0

Matching in nixpkgs

pkgs.wget2

Successor of GNU Wget, a file and recursive website downloader

nixos-unstable 2.2.0
- nixpkgs-unstable 2.2.0
- nixos-unstable-small 2.2.0
nixos-25.11 2.2.0
- nixpkgs-25.11-darwin 2.2.0

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.wget2

Package maintainers