search menu icon-carat-right cmu-wordmark

CERT Coordination Center

GNU Wget enables SSRF via unvalidated FTP PASV IPs

Vulnerability Note VU#564823

Original Release Date: 2026-07-10 | Last Revised: 2026-07-10

Overview

GNU Wget, versions 1.25.0 and earlier, contains a server-side request forgery (SSRF) vulnerability in its implementation of FTP passive mode. Because Wget does not properly validate IP addresses obtained from PASV responses, an attacker-controlled FTP endpoint can redirect the client’s connection to arbitrary IPs, potentially exposing internal network host and service responses. This vulnerability has been remediated in a recent update by GNU; see the Solutions section below for resolution guidance.

Description

GNU Wget is a widely used command-line utility for retrieving content over HTTP, HTTPS, and FTP. When operating over FTP in passive mode, Wget relies on the server’s PASV response to determine which IP address and port to use for the data connection.

CVE-2026-15146 GNU Wget does not validate the IP address provided by an FTP PASV response while operating in FTP passive mode. A malicious FTP server, or an HTTP server that redirects to an FTP URL, can exploit this behavior to redirect Wget’s data connection to an arbitrary IP address and port. This allows an attacker to forge server-side requests (SSRF) from the machine running Wget, potentially accessing localhost services or internal network resources.

This issue belongs to a known class of FTP PASV vulnerabilities such as CVE-2021-40491, which was previously remediated in GNU Inetutils.

Impact

A remote attacker controlling or influencing an FTP endpoint can induce Wget to establish connections to otherwise inaccessible internal network addresses. This may allow the attacker to retrieve service banners, access internal HTTP endpoints, or exfiltrate data from internal systems reachable by the victim host. Applications that embed Wget for automated retrieval are particularly susceptible, because the vulnerability may be triggered automatically through redirected requests and untrusted user-supplied URLs.

Solution

GNU Wget has remediated this issue in the 07/05/2026 commit 4f85853f641863d5915786a8413e1a213726a62b. Users are advised to update their version according to vendor guidance.

Acknowledgements

Thanks to Jeremy Brown for researching and reporting this vulnerability. This document was written by Molly Jaconski.

Vendor Information

564823
 

GNU wget Not Affected

Notified:  2026-05-27 Updated: 2026-07-10

Statement Date:   July 10, 2026

CVE-2026-15146 Not Affected

Vendor Statement

Issue has been fixed in upstream master with the following commit.
The issue is considered public since it could be found by anyone using current LLM technology.

commit 4f85853f641863d5915786a8413e1a213726a62b
Author: Acts1631 acts1631kjv@proton.me
Date: Sun Jul 5 17:22:55 2026 -0400

ftp: validate PASV/LPSV response address against control connection peer

* src/ftp-basic.c (ftp_pasv): Reject if peer address doesn't match advertised
  address,
  (ftp_lpsv): Likewise.

ftp_pasv() and ftp_lpsv() copied the IP address and port advertised in
the server's 227 response without checking that it matched the peer
of the control connection.  A malicious or compromised FTP server
could therefore direct wget's data connection to an arbitrary host and
port of its choosing (e.g. an internal service unreachable from the
attacker directly), which is a server-side request forgery.

ftp_epsv() was already safe since it only extracts a port and reuses
the pre-filled control-connection address.

Fix ftp_pasv() and ftp_lpsv() the same way: capture the control
connection's peer address via socket_ip_address() before parsing the
response, and reject the response (FTPINVPASV) if the parsed address
does not match.

Verified with a fake FTP server that returns a PASV response pointing
at a different loopback address (127.0.0.2 instead of the real peer
127.0.0.1): before the fix wget connects to the spoofed address, after
the fix it rejects the response with "Cannot parse PASV response."
Legitimate transfers using a correctly-addressed PASV response
continue to work.

References

CERT Addendum

GNU Wget was "Affected", but the issue has been remediated in the referenced commit.


Other Information

CVE IDs: CVE-2026-15146
API URL: VINCE JSON | CSAF
Date Public: 2026-07-10
Date First Published: 2026-07-10
Date Last Updated: 2026-07-10 18:19 UTC
Document Revision: 1

Sponsored by CISA.