Skip to main content

CISA issues update on GNU Wget SSRF in FTP passive mode

GNU Wget versions 1.25.0 and earlier contain a server-side request forgery (SSRF) issue in its FTP passive mode implementation, which can let an attacker redirect Wget’s data connection to arbitrary IP addresses and ports and expose internal host and service responses.

The problem occurs because Wget does not validate the IP address supplied by an FTP PASV response when operating in FTP passive mode. In this scenario, a malicious FTP server, or an HTTP server that redirects to an FTP URL, can exploit the behavior to redirect Wget’s data connection to an arbitrary IP address and port. The issue is tracked as CVE-2026-15146. Wget uses the server’s PASV response in passive mode to determine the IP address and port for the data connection. The report also notes that this issue fits the same FTP PASV vulnerability class as CVE-2021-40491, which was previously remediated in GNU Inetutils.

A remote attacker controlling or influencing an FTP endpoint can cause Wget to connect to internal network addresses that would otherwise be inaccessible. The report states this may allow the attacker to retrieve service banners, access internal HTTP endpoints, or exfiltrate data from internal systems reachable by the victim host. It also states that applications embedding Wget for automated retrieval are particularly susceptible because the vulnerability may be triggered automatically through redirected requests and untrusted user-supplied URLs.

GNU Wget has remediated the issue in the 07/05/2026 commit 4f85853f641863d5915786a8413e1a213726a62b. Users are advised to update their version according to vendor guidance.

GNU Wget relies on the server’s PASV response to select which IP address and port to use for the data connection in FTP passive mode, and the report states that the absence of IP validation enables redirection to an arbitrary IP address and port. The guidance included with the report directs users to remediate by updating their version in line with vendor guidance.