Vulnerability Description
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given directory path already exists. This allows a local attacker to create a directory to be used later by DragonFly2 with broad permissions before DragonFly2 does so, potentially allowing the attacker to tamper with the files. This vulnerability is fixed in 2.1.0.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Dragonfly | < 2.1.0 |
Related Weaknesses (CWE)
References
- https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-compProduct
- https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-8425-8r2f-mrvPatchThird Party Advisory
FAQ
What is CVE-2025-59349?
CVE-2025-59349 is a vulnerability with a CVSS score of 3.3 (LOW). Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access p...
How severe is CVE-2025-59349?
CVE-2025-59349 has been rated LOW with a CVSS base score of 3.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-59349?
Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Dragonfly.