{"id":"UBUNTU-CVE-2025-69194","details":"A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink \u003cfile name\u003e elements. An attacker can abuse this behavior to write files to unintended locations on the system. This can lead to data loss or potentially allow further compromise of the user’s environment.","modified":"2026-03-09T12:24:46.182448Z","published":"2026-01-09T08:15:00Z","upstream":["CVE-2025-69194"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-69194"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2025-69194"}],"affected":[{"package":{"name":"wget2","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/wget2@0.0.20170806-1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.0.20170806-1"],"ecosystem_specific":{"binaries":[{"binary_name":"libwget0","binary_version":"0.0.20170806-1"},{"binary_name":"wget2","binary_version":"0.0.20170806-1"},{"binary_name":"wget2-dev","binary_version":"0.0.20170806-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-69194.json"}},{"package":{"name":"wget2","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/wget2@1.99.1-2.1?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.99.1-2","1.99.1-2.1"],"ecosystem_specific":{"binaries":[{"binary_name":"libwget0","binary_version":"1.99.1-2.1"},{"binary_name":"wget2","binary_version":"1.99.1-2.1"},{"binary_name":"wget2-dev","binary_version":"1.99.1-2.1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-69194.json"}},{"package":{"name":"wget2","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/wget2@1.99.1-2.2?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.99.1-2.2"],"ecosystem_specific":{"binaries":[{"binary_name":"libwget0","binary_version":"1.99.1-2.2"},{"binary_name":"wget2","binary_version":"1.99.1-2.2"},{"binary_name":"wget2-dev","binary_version":"1.99.1-2.2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-69194.json"}},{"package":{"name":"wget2","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/wget2@2.1.0-2.1build2?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.99.1-2.2","2.1.0-2","2.1.0-2.1build1","2.1.0-2.1build2"],"ecosystem_specific":{"binaries":[{"binary_name":"libwget2t64","binary_version":"2.1.0-2.1build2"},{"binary_name":"wget2","binary_version":"2.1.0-2.1build2"},{"binary_name":"wget2-dev","binary_version":"2.1.0-2.1build2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-69194.json"}},{"package":{"name":"wget2","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/wget2@2.2.0+ds-1?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.2.0+ds-1"],"ecosystem_specific":{"binaries":[{"binary_name":"libwget3","binary_version":"2.2.0+ds-1"},{"binary_name":"wget2","binary_version":"2.2.0+ds-1"},{"binary_name":"wget2-dev","binary_version":"2.2.0+ds-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-69194.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}