Available release of the project GNU Wget2 2.2.1, developing a rewritten from scratch and completely redesigned version of the program for automating the recursive loading of content GNU Wget. Wget2 provides a set of additional options, supports downloading in multiple threads, allows you to use available functionality through the libwget library, supports HTTP/2 and TLS 1.3 protocols, allows you to download only changed data, can save data from streaming servers, correctly handles internationalized domain names and can transcode downloaded content. The wget2 utility is supplied under the GPLv3+ license, and the library is under LGPLv3+.
The new version fixes two vulnerabilities:
- CVE-2025-69194 – missing Due checks of file paths when processing content in the Metalink format used to describe links to files for download. By using the “../” sequence in file paths within a block, an attacker can create, clear, or overwrite arbitrary files outside of the base directory into which the download is made. For example, an attacker could overwrite the contents of ~/.ssh/authorized_keys or ~/.bashrc and cause their code to be executed on the system.
- CVE-2025-69195 – buffer overflow in code for cleaning file names in the get_local_filename_real() function, which could potentially lead to code execution when processing specially formatted URLs on loaded pages or when processing redirects. The problem occurs when the “–restrict-file-names=windows|unix|ascii” option is enabled and is caused by allocating a fixed 1024-byte buffer without checking the actual size of the data being written.
Non-security changes include the addition of the “–show-progress” option to indicate download progress, the use of local time when specifying the “–no-use-server-timestamps” option, support for ‘no_’ prefix in configuration parameters and enable libnghttp2 for HTTP/2 testing.