Wget vulnerability – does it affect you?

So there is a wget vulnerability … big deal?

Metasploit developer – Rapid7 has a page discussing the exploit


GNU Wget is a command-line utility designed to download files via HTTP, HTTPS, and FTP.  Wget versions prior to 1.16 are vulnerable a symlink attack (CVE-2014-4877) when running in recursive mode with a FTP target.

Let’s Focus on this sentence:

This vulnerability allows an attacker operating a malicious FTP server to create arbitrary files, directories, and symlinks on the user’s filesystem.

So what constitutes a “user’s filesystem” that could be attacked?

Well, it has to have wget versions prior to 1.16, such as this one:


This is wget version 1.13 on a Kali Linux distribution of 1.08 (without too many modifications.

Now it just so happens this is my laptop, so I am not vulnerable, since I do not have ftp or http servers running. So only if a potential server has an early version of wget installed and has a ftp server running then the system “could” be vulnerable.

Contact me to have me check your systems with an Alpha scan.



RedHat has a bugfix: https://access.redhat.com/support/policy/updates/errata/