CVE-2024-10524 MEDIUM

CVE-2024-10524: GNU Wget is vulnerable to an SSRF attack when accessing partially-user-controlled shorthand URLs

Vendor Gnu
Product wget
Weakness CWE-918 · SSRF
Published November 19, 2024
Last update March 21, 2025

CVSS base score

6.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Applications that use Wget to access a remote resource using shorthand URLs and pass arbitrary user credentials in the URL are vulnerable. In these cases attackers can enter crafted credentials which will cause Wget to access an arbitrary host.

Key dates

02Disclosure timeline

November 19, 2024 CVE published
March 21, 2025 Record updated