curl wcurl Path Traversal Vulnerability via Percent-Encoded Slashes

A path traversal vulnerability has been identified in the wcurl command line tool, specifically in versions 8.14.0 through 8.16.0, as well as wcurl versions 2024.12.08 to 2025.09.27. This vulnerability allows URLs with percent-encoded slashes to manipulate wcurl into saving output files outside the current directory, without the user's explicit consent. The issue arises because wcurl fails to properly handle percent-encoded slashes, which can be exploited to create files in unintended locations.

Impact

Exploitation of this vulnerability can lead to unauthorized file creation outside the intended directory, potentially overwriting existing files or disrupting file management processes.

Remediation

Users can upgrade to wcurl version 2025.11.09 or the version of curl 8.18.0 to address this vulnerability. Alternatively, the patch can be applied to local wcurl versions. It is also recommended to explicitly specify an output filename using the -o, -O, or --output options, and to disable percent-decoding for output filenames with the --no-decode-filename option.