Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
AV:N because the attack originates from a remote server Wget connects to; no confidentiality, integrity, or availability impact beyond the SSRF data interaction itself.
Primary rating from Vendor (certcc).
CVSS VectorVendor: certcc
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
GNU Wget does not validate the IP address provided by an FTP PASV response while operating in FTP passive mode. A malicious FTP server, or an HTTP server that redirects to an FTP URL, can exploit this behavior to redirect Wget’s data connection to an arbitrary IP address and port. This allows an attacker to forge server-side requests (SSRF) from the machine running Wget, potentially accessing localhost services or internal network resources.
AnalysisAI
GNU Wget's FTP passive mode implementation fails to validate the IP address returned in a server's PASV response, enabling a malicious FTP server - or any HTTP server issuing a redirect to an ftp:// URL - to redirect Wget's data connection to an arbitrary internal IP address and port. All Wget releases through 1.25.0 (prior to upstream commit 4f85853) are affected, exposing any host running Wget to server-side request forgery (SSRF) that can probe or interact with localhost services and internal network resources. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the victim machine is running GNU Wget version 1.25.0 or earlier and is fetching content either directly from an attacker-controlled FTP server in passive mode (the Wget default), or following an HTTP 301/302 redirect from any HTTP/HTTPS URL to an attacker-controlled ftp:// URL. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-supplied CVSS base vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, score 5.9) contains a critical inconsistency: AV:L (Local attack vector) requires the attacker to have local access to the vulnerable system, yet the vulnerability description unambiguously describes an attack originating from a remote FTP server that the Wget client connects to over the network. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sets up a malicious FTP server (or configures a web server to return a 302 redirect to ftp://attacker-server/) that a CI/CD pipeline or cron job uses Wget to fetch from. When Wget enters passive mode, the attacker's server returns a crafted PASV 227 response specifying 169.254.169.254:80 (the AWS/GCP/Azure Instance Metadata Service) as the data connection endpoint. … |
| Remediation | Apply the upstream fix by building or installing a version of Wget that includes commit 4f85853f641863d5915786a8413e1a213726a62b from the Savannah repository (https://cgit.git.savannah.gnu.org/cgit/wget.git/commit/?id=4f85853f641863d5915786a8413e1a213726a62b); no formally tagged release version (e.g., 1.26.0) has been independently confirmed at time of analysis, so monitor the upstream project and distribution channels for a tagged release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to w
GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted F
The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. Rated high sev
Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow
set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata at
The retr.c:fd_read_body() function is called when processing OK responses. Rated high severity (CVSS 8.8), this vulnerab
GNU Wget before 1.19.5 is prone to a cookie injection vulnerability in the resp_new function in http.c via a \r\n sequen
CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject
Buffer overflow in GNU Wget 1.20.1 and earlier allows remote attackers to cause a denial-of-service (DoS) or may execute
url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be inse
Denial of service in GNU Wget through 1.25.0 lets a malicious or compromised HTTP(S) server crash the client by serving
Integer overflow in GNU Wget through 1.25.0 allows a malicious or compromised web server to corrupt client download sess
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42980
GHSA-77jw-q7w3-q2hw