VU#564823: GNU Wget enables SSRF via unvalidated FTP PASV IPs
GNU Wget versions 1.25.0 and earlier have a server-side request forgery vulnerability. This flaw exists in the implementation of FTP passive mode. Wget fails to properly validate IP addresses received in PASV responses from an FTP server. An attacker can control an FTP endpoint and redirect Wget's connection to any IP address. This allows bypassing network access controls to reach internal hosts and services. The vulnerability is similar to previous FTP PASV issues. A malicious FTP server or a redirecting HTTP server could exploit this. The impact includes retrieving service banners or accessing internal endpoints. Applications embedding Wget are especially vulnerable due to automated request handling. GNU has fixed this vulnerability in a recent update. Users should update to a patched version of GNU Wget.