Wget
Monthly
GNU Wget's FTP passive mode implementation fails to validate the IP address returned in a server's PASV response, enabling a malicious FTP server - or any HTTP server issuing a redirect to an ftp:// URL - to redirect Wget's data connection to an arbitrary internal IP address and port. All Wget releases through 1.25.0 (prior to upstream commit 4f85853) are affected, exposing any host running Wget to server-side request forgery (SSRF) that can probe or interact with localhost services and internal network resources. No confirmed active exploitation exists (SSVC: exploitation none), and no public POC exploit has been identified at time of analysis; the NVD-provided CVSS attack vector (AV:L) appears inconsistent with the network-based attack mechanism and may be an error.
Heap buffer overflow in GNU Wget through 1.25.0 allows a remote server to corrupt client-side memory by serving a crafted HTML page containing attributes with a large number of characters requiring entity encoding. The flaw originates in the `html_quote_string()` function in `src/convert.c`, where a signed integer counter overflows during output size accumulation, causing an undersized heap allocation; the subsequent copy phase then writes beyond that buffer's bounds. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, but the memory corruption class warrants patching, particularly in environments where wget is used to fetch content from untrusted servers.
Heap buffer overflow in GNU Wget through 1.25.0 allows network-positioned attackers to corrupt heap memory by serving a maliciously crafted filename that triggers a flawed iconv E2BIG reallocation path in convert_fname() within src/url.c. The miscalculated remaining-space offset during reallocation writes beyond the allocated heap region, producing a high-availability impact (process crash) and limited integrity exposure. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, the fix is confirmed via upstream commit c2640fe on the official GNU Wget GitLab repository.
Integer overflow in GNU Wget through 1.25.0 allows a malicious or compromised web server to corrupt client download sessions by supplying crafted Content-Range response headers. The parse_content_range() function in src/http.c performs signed integer arithmetic on server-supplied values without overflow guards, triggering undefined behavior under C's signed overflow rules and causing download desynchronization on the affected client. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code is known at time of analysis; real-world impact is bounded to availability disruption rather than host compromise based on current data.
Denial of service in GNU Wget through 1.25.0 lets a malicious or compromised HTTP(S) server crash the client by serving a Metalink document whose URL element contains only whitespace, causing clean_metalink_string() in src/metalink.c to decrement a pointer past the start of the heap buffer. The out-of-bounds read (CWE-125) produces abnormal program behavior and is reported by VulnCheck; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The fix landed upstream in GitLab commit 37a40fc.
url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Buffer overflow in GNU Wget 1.20.1 and earlier allows remote attackers to cause a denial-of-service (DoS) or may execute an arbitrary code via unspecified vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
GNU Wget before 1.19.5 is prone to a cookie injection vulnerability in the resp_new function in http.c via a \r\n sequence in a continuation line. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
The retr.c:fd_read_body() function is called when processing OK responses. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 75.8%.
CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow remote servers to bypass intended access list restrictions by keeping an HTTP. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 75.0%.
Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 74.3%.
GNU Wget's FTP passive mode implementation fails to validate the IP address returned in a server's PASV response, enabling a malicious FTP server - or any HTTP server issuing a redirect to an ftp:// URL - to redirect Wget's data connection to an arbitrary internal IP address and port. All Wget releases through 1.25.0 (prior to upstream commit 4f85853) are affected, exposing any host running Wget to server-side request forgery (SSRF) that can probe or interact with localhost services and internal network resources. No confirmed active exploitation exists (SSVC: exploitation none), and no public POC exploit has been identified at time of analysis; the NVD-provided CVSS attack vector (AV:L) appears inconsistent with the network-based attack mechanism and may be an error.
Heap buffer overflow in GNU Wget through 1.25.0 allows a remote server to corrupt client-side memory by serving a crafted HTML page containing attributes with a large number of characters requiring entity encoding. The flaw originates in the `html_quote_string()` function in `src/convert.c`, where a signed integer counter overflows during output size accumulation, causing an undersized heap allocation; the subsequent copy phase then writes beyond that buffer's bounds. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, but the memory corruption class warrants patching, particularly in environments where wget is used to fetch content from untrusted servers.
Heap buffer overflow in GNU Wget through 1.25.0 allows network-positioned attackers to corrupt heap memory by serving a maliciously crafted filename that triggers a flawed iconv E2BIG reallocation path in convert_fname() within src/url.c. The miscalculated remaining-space offset during reallocation writes beyond the allocated heap region, producing a high-availability impact (process crash) and limited integrity exposure. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, the fix is confirmed via upstream commit c2640fe on the official GNU Wget GitLab repository.
Integer overflow in GNU Wget through 1.25.0 allows a malicious or compromised web server to corrupt client download sessions by supplying crafted Content-Range response headers. The parse_content_range() function in src/http.c performs signed integer arithmetic on server-supplied values without overflow guards, triggering undefined behavior under C's signed overflow rules and causing download desynchronization on the affected client. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code is known at time of analysis; real-world impact is bounded to availability disruption rather than host compromise based on current data.
Denial of service in GNU Wget through 1.25.0 lets a malicious or compromised HTTP(S) server crash the client by serving a Metalink document whose URL element contains only whitespace, causing clean_metalink_string() in src/metalink.c to decrement a pointer past the start of the heap buffer. The out-of-bounds read (CWE-125) produces abnormal program behavior and is reported by VulnCheck; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The fix landed upstream in GitLab commit 37a40fc.
url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Buffer overflow in GNU Wget 1.20.1 and earlier allows remote attackers to cause a denial-of-service (DoS) or may execute an arbitrary code via unspecified vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
GNU Wget before 1.19.5 is prone to a cookie injection vulnerability in the resp_new function in http.c via a \r\n sequence in a continuation line. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
The retr.c:fd_read_body() function is called when processing OK responses. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 75.8%.
CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow remote servers to bypass intended access list restrictions by keeping an HTTP. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 75.0%.
Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 74.3%.