{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/564823#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nGNU Wget, versions 1.25.0 and earlier, contains a server-side request forgery (SSRF) vulnerability in its implementation of FTP passive mode. Because Wget does not properly validate IP addresses obtained from PASV responses, an attacker-controlled FTP endpoint can redirect the client’s connection to arbitrary IPs, potentially exposing internal network host and service responses. This vulnerability has been remediated in a recent update by GNU; see the **Solutions** section below for resolution guidance.\r\n\r\n### Description\r\nGNU Wget is a widely used command-line utility for retrieving content over HTTP, HTTPS, and FTP. When operating over FTP in passive mode, Wget relies on the server’s PASV response to determine which IP address and port to use for the data connection.\r\n\r\n**CVE-2026-15146** GNU Wget does not validate the IP address provided by an FTP PASV response while operating in FTP passive mode. A malicious FTP server, or an HTTP server that redirects to an FTP URL, can exploit this behavior to redirect Wget’s data connection to an arbitrary IP address and port. This allows an attacker to forge server-side requests (SSRF) from the machine running Wget, potentially accessing localhost services or internal network resources.\r\n\r\nThis issue belongs to a known class of FTP PASV vulnerabilities such as [CVE-2021-40491](https://nvd.nist.gov/vuln/detail/cve-2021-40491), which was previously remediated in GNU Inetutils. \r\n\r\n### Impact\r\nA remote attacker controlling or influencing an FTP endpoint can induce Wget to establish connections to otherwise inaccessible internal network addresses. This may allow the attacker to retrieve service banners, access internal HTTP endpoints, or exfiltrate data from internal systems reachable by the victim host. Applications that embed Wget for automated retrieval are particularly susceptible, because the vulnerability may be triggered automatically through redirected requests and untrusted user-supplied URLs.\r\n\r\n### Solution\r\nGNU Wget has remediated this issue in the 07/05/2026 commit [4f85853f641863d5915786a8413e1a213726a62b](https://cgit.git.savannah.gnu.org/cgit/wget.git/commit/?id=4f85853f641863d5915786a8413e1a213726a62b). Users are advised to update their version according to vendor guidance. \r\n\r\n### Acknowledgements\r\nThanks to Jeremy Brown for researching and reporting this vulnerability. This document was written by Molly Jaconski.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"Issue has been fixed in upstream master with the following commit.\r\nThe issue is considered public since it could be found by anyone using current LLM technology.\r\n\r\ncommit 4f85853f641863d5915786a8413e1a213726a62b\r\nAuthor: Acts1631 <acts1631kjv@proton.me>\r\nDate:   Sun Jul 5 17:22:55 2026 -0400\r\n\r\n    ftp: validate PASV/LPSV response address against control connection peer\r\n    \r\n    * src/ftp-basic.c (ftp_pasv): Reject if peer address doesn't match advertised\r\n      address,\r\n      (ftp_lpsv): Likewise.\r\n    \r\n    ftp_pasv() and ftp_lpsv() copied the IP address and port advertised in\r\n    the server's 227 response without checking that it matched the peer\r\n    of the control connection.  A malicious or compromised FTP server\r\n    could therefore direct wget's data connection to an arbitrary host and\r\n    port of its choosing (e.g. an internal service unreachable from the\r\n    attacker directly), which is a server-side request forgery.\r\n    \r\n    ftp_epsv() was already safe since it only extracts a port and reuses\r\n    the pre-filled control-connection address.\r\n    \r\n    Fix ftp_pasv() and ftp_lpsv() the same way: capture the control\r\n    connection's peer address via socket_ip_address() before parsing the\r\n    response, and reject the response (FTPINVPASV) if the parsed address\r\n    does not match.\r\n    \r\n    Verified with a fake FTP server that returns a PASV response pointing\r\n    at a different loopback address (127.0.0.2 instead of the real peer\r\n    127.0.0.1): before the fix wget connects to the spoofed address, after\r\n    the fix it rejects the response with \"Cannot parse PASV response.\"\r\n    Legitimate transfers using a correctly-addressed PASV response\r\n    continue to work.","title":"Vendor statment from GNU wget"},{"category":"other","text":"GNU Wget was \"Affected\", but the issue has been remediated in the referenced commit.","title":"CERT/CC comment on GNU wget notes"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/564823"},{"url":"https://cgit.git.savannah.gnu.org/cgit/wget.git/commit/?id=4f85853f641863d5915786a8413e1a213726a62b","summary":"https://cgit.git.savannah.gnu.org/cgit/wget.git/commit/?id=4f85853f641863d5915786a8413e1a213726a62b"},{"url":"https://datatracker.ietf.org/doc/html/rfc959","summary":"https://datatracker.ietf.org/doc/html/rfc959"},{"url":"https://cgit.git.savannah.gnu.org/cgit/wget.git/commit/?id=4f85853f641863d5915786a8413e1a213726a62b","summary":"Reference(s) from vendor \"GNU wget\""}],"title":"GNU Wget enables SSRF via unvalidated FTP PASV IPs","tracking":{"current_release_date":"2026-07-10T18:19:49+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.43"}},"id":"VU#564823","initial_release_date":"2026-07-10 18:19:49.282014+00:00","revision_history":[{"date":"2026-07-10T18:19:49+00:00","number":"1.20260710181949.1","summary":"Released on 2026-07-10T18:19:49+00:00"}],"status":"final","version":"1.20260710181949.1"}},"vulnerabilities":[{"title":"GNU Wget does not validate the IP address provided by an FTP PASV response while operating in FTP passive mode.","notes":[{"category":"summary","text":"GNU Wget does not validate the IP address provided by an FTP PASV response while operating in FTP passive mode. A malicious FTP server, or an HTTP server that redirects to an FTP URL, can exploit this behavior to redirect Wget’s data connection to an arbitrary IP address and port. This allows an attacker to forge server-side requests (SSRF) from the machine running Wget, potentially accessing localhost services or internal network resources."}],"cve":"CVE-2026-15146","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#564823"}],"product_status":{"known_not_affected":["CSAFPID-59f19882-7ca7-11f1-aade-026cba0b744b"]}}],"product_tree":{"branches":[{"category":"vendor","name":"GNU wget","product":{"name":"GNU wget Products","product_id":"CSAFPID-59f19882-7ca7-11f1-aade-026cba0b744b"}}]}}