Cyber Resilience

CVE-2025-69194

High

Published: 09 January 2026

Published
09 January 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0071 48.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-69194 is a high-severity Path Traversal (CWE-22) vulnerability in Gnu Wget2. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 48.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-69194 is a path traversal vulnerability (CWE-22) in GNU Wget2 when processing Metalink documents. The application fails to properly validate file paths specified in Metalink <file name> elements, enabling arbitrary file writes to unintended locations on the filesystem. Published on 2026-01-09, this issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for confidentiality, integrity, and availability impacts.

A remote attacker without privileges can exploit this by tricking a user into using Wget2 to download or process a maliciously crafted Metalink document, which requires user interaction such as clicking a link or running a command. Upon processing, the invalid paths allow the attacker to overwrite or create files outside the intended download directory, resulting in data loss or enabling further system compromise depending on the targeted locations and permissions.

Mitigation details are provided in the referenced Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2025-69194 and Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2425773. Security practitioners should consult these for patch availability, version-specific guidance, and any recommended workarounds.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink <file name> elements. An attacker can abuse this behavior to write files to unintended locations on the…

more

system. This can lead to data loss or potentially allow further compromise of the user’s environment.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Path traversal enables arbitrary writes to any filesystem location, directly facilitating stored data manipulation or targeted destruction/overwrites.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-69195Same product: Gnu Wget2
CVE-2025-40889Shared CWE-22
CVE-2026-45224Shared CWE-22
CVE-2026-41383Shared CWE-22
CVE-2026-28791Shared CWE-22
CVE-2026-25161Shared CWE-22
CVE-2026-5928Same vendor: Gnu
CVE-2025-1125Same vendor: Gnu
CVE-2025-15281Same vendor: Gnu
CVE-2025-69649Same vendor: Gnu

Affected Assets

gnu
wget2
≤ 2.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of file paths in Metalink documents to block path traversal exploits in GNU Wget2.

prevent

Mandates timely remediation of the path validation flaw in Wget2 via patching as described in vendor advisories.

prevent

Limits damage from arbitrary file writes by enforcing least privilege on processes executing Wget2, restricting access to sensitive locations.

References