Login Sign Up

CVE-2024-38428

9.1 CRITICAL

📋 TL;DR

GNU Wget through version 1.24.5 incorrectly parses semicolons in the userinfo portion of URIs, potentially causing userinfo data to be misinterpreted as part of the host component. This could lead to credential exposure, authentication bypass, or unintended connections to malicious hosts. Anyone using affected Wget versions to fetch URLs containing semicolons in userinfo fields is vulnerable.

💻 Affected Systems

Products:
  • GNU Wget
Versions: Through 1.24.5
Operating Systems: All platforms running GNU Wget
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of affected Wget versions are vulnerable when processing URIs with semicolons in userinfo fields.

📦 What is this software?

Wget by Gnu

View all CVEs affecting Wget →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could intercept credentials, redirect connections to malicious servers, or bypass authentication mechanisms by crafting URIs with semicolons in userinfo fields.

🟠

Likely Case

Credential leakage when Wget processes URIs containing semicolons in authentication data, potentially exposing passwords or tokens to unintended hosts.

🟢

If Mitigated

Limited impact if Wget is only used with trusted URLs or in environments where URI parsing is validated elsewhere.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires Wget to process a malicious URI, which could occur through scripts, automated tools, or user interaction.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.24.6 or later

Vendor Advisory: https://lists.gnu.org/archive/html/bug-wget/2024-06/msg00005.html

Restart Required: No

Instructions:

1. Download latest Wget from https://ftp.gnu.org/gnu/wget/ 2. Compile and install following standard build procedures 3. Verify installation with 'wget --version'

🔧 Temporary Workarounds

Avoid semicolons in URIs

all

Manually validate and sanitize URIs before passing to Wget, ensuring no semicolons exist in userinfo fields.

Use alternative download tools

all

Temporarily replace Wget with curl or other download utilities until patched.

# Example: Use curl instead of wget
curl -O https://example.com/file

🧯 If You Can't Patch

  • Restrict Wget usage to trusted, internal URLs only
  • Implement network monitoring for unexpected connections from Wget processes

🔍 How to Verify

Check if Vulnerable:

Run 'wget --version' and check if version is 1.24.5 or earlier

Check Version:

wget --version | head -1

Verify Fix Applied:

After patching, confirm version is 1.24.6 or later with 'wget --version'

📡 Detection & Monitoring

Log Indicators:

  • Wget connections to unexpected hosts
  • Failed authentication attempts with unusual URIs

Network Indicators:

  • Outbound connections from Wget to unknown IPs
  • HTTP requests with malformed Authorization headers

SIEM Query:

process.name:"wget" AND (destination.ip NOT IN [trusted_ips] OR url.query CONTAINS ";")

📊 Metadata

CVE ID: CVE-2024-38428
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-436
Published: June 16, 2024
Last Updated: April 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38428, you might also want to check these:

CVE-2023-24813 10.0

CVE-2023-24813 is a critical vulnerability in Dompdf's SVG parsing that allows attackers to bypass U...

Same vulnerability type (CWE-436)
CVE-2021-45327 9.8

CVE-2021-45327 is a server-side request forgery (SSRF) vulnerability in Gitea's admin and user API e...

Same vulnerability type (CWE-436)
CVE-2023-39481 8.8

This vulnerability allows authenticated remote attackers to execute arbitrary code as root on Softin...

Same vulnerability type (CWE-436)