CVE-2025-69194 is a path traversal vulnerability discovered in GNU Wget2, a widely used command-line utility for downloading files. The vulnerability specifically affects the processing of Metalink documents, which are XML files that provide multiple download locations and metadata for files. Wget2 fails to properly sanitize or restrict the file paths specified within the <file name> elements of these Metalink documents. As a result, an attacker can craft a malicious Metalink file containing path traversal sequences (e.g., '../') to cause Wget2 to write files outside the intended download directory. This arbitrary file write capability can be leveraged to overwrite critical system or application files, potentially leading to data loss, corruption, or further compromise such as privilege escalation or remote code execution if the attacker can place executable files in sensitive locations. The vulnerability is exploitable remotely without requiring authentication or privileges but does require user interaction to initiate the download of the malicious Metalink file. The CVSS v3.1 base score is 8.8, indicating a high severity due to the network attack vector, low complexity, no privileges required, but requiring user interaction, and high impact on confidentiality, integrity, and availability. Although no active exploits have been reported, the nature of the vulnerability and the popularity of Wget2 make it a significant risk. The lack of patch links suggests that fixes may be pending or newly released, emphasizing the need for vigilance. This vulnerability highlights the importance of secure input validation and path sanitization in software handling external data.

The impact of CVE-2025-69194 is substantial for organizations relying on GNU Wget2 for automated downloads, updates, or data retrieval, especially when using Metalink files. Successful exploitation can lead to arbitrary file writes outside designated directories, causing data loss or corruption. This can disrupt business operations, compromise system integrity, and potentially allow attackers to implant malicious files that facilitate further attacks such as privilege escalation or persistent backdoors. The confidentiality of sensitive data may be compromised if attackers overwrite or replace files containing secrets or credentials. Availability may also be affected if critical system files are corrupted or deleted. Given the network-based attack vector and no requirement for authentication, this vulnerability could be exploited in supply chain attacks or targeted phishing campaigns delivering malicious Metalink files. Organizations with automated systems that process Metalink files without strict validation are particularly vulnerable. The absence of known exploits currently provides a window for proactive mitigation before widespread exploitation occurs.

To mitigate CVE-2025-69194, organizations should first ensure they apply any official patches or updates released by the GNU Wget2 maintainers as soon as they become available. In the absence of patches, administrators should consider disabling or restricting the use of Metalink files in Wget2 or avoid using Wget2 for processing untrusted Metalink documents. Implement strict input validation and sanitization on any Metalink files before processing, ensuring file paths do not contain traversal sequences or reference locations outside intended directories. Employ application whitelisting and file integrity monitoring to detect unauthorized file changes. Network-level controls such as blocking or filtering suspicious Metalink files or downloads from untrusted sources can reduce exposure. Educate users about the risks of downloading and executing files from untrusted Metalink sources to reduce the likelihood of user interaction exploitation. For automated systems, consider sandboxing or running Wget2 with least privilege to limit the impact of potential arbitrary file writes. Regularly audit systems for unexpected file modifications and maintain robust backup and recovery procedures to mitigate data loss.