CVE-2017-13090— GNU Wget: heap overflow in HTTP protocol handling

EPSS 8.55% · P92 Updated Feb 21, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2017-13090

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

GNU Wget: heap overflow in HTTP protocol handling

Source: NVD (National Vulnerability Database)

Vulnerability Description

The retr.c:fd_read_body() function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to read the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up passing the negative chunk length to retr.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. The attacker can corrupt malloc metadata after the allocated buffer.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

堆缓冲区溢出

Source: NVD (National Vulnerability Database)

Vulnerability Title

GNU Wget 缓冲区错误漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

GNU Wget是GNU计划开发的一套用于在网络上进行下载的自由软件，它支持通过HTTP、HTTPS以及FTP这三个最常见的TCP/IP协议下载。 GNU Wget 1.19.2之前的版本中存在基于堆的缓冲区溢出漏洞。远程攻击者可利用该漏洞在受影响的应用程序上下文中执行任意代码或造成拒绝服务。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
GNU Project	Wget	prior to 1.19.2	-

II. Public POCs for CVE-2017-13090

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2017-13090

请登录查看更多情报信息。

https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.htmlx_refsource_MISC
https://www.synology.com/support/security/Synology_SA_17_62_Wgetx_refsource_CONFIRM
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bbax_refsource_CONFIRM
http://www.securityfocus.com/bid/101590vdb-entryx_refsource_BID
http://www.securitytracker.com/id/1039661vdb-entryx_refsource_SECTRACK
http://www.debian.org/security/2017/dsa-4008vendor-advisoryx_refsource_DEBIAN
https://access.redhat.com/errata/RHSA-2017:3075vendor-advisoryx_refsource_REDHAT
https://security.gentoo.org/glsa/201711-06vendor-advisoryx_refsource_GENTOO
https://nvd.nist.gov/vuln/detail/CVE-2017-13090

IV. Related Vulnerabilities

Same product: Wget

Same vendor: GNU Project

Same weakness: CWE-122

V. Comments for CVE-2017-13090

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2017-13090— GNU Wget: heap overflow in HTTP protocol handling

I. Basic Information for CVE-2017-13090

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2017-13090

III. Intelligence Information for CVE-2017-13090

IV. Related Vulnerabilities

V. Comments for CVE-2017-13090

Leave a comment