CVE-2025-59349

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-59349
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59349.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-59349
Aliases
Published
2025-09-17T20:15:37Z
Modified
2025-09-20T05:48:01.516896Z
Severity
  • 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given directory path already exists. This allows a local attacker to create a directory to be used later by DragonFly2 with broad permissions before DragonFly2 does so, potentially allowing the attacker to tamper with the files. This vulnerability is fixed in 2.1.0.

References

Affected packages

Git / github.com/dragonflyoss/dragonfly2

Affected ranges

Type
GIT
Repo
https://github.com/dragonflyoss/dragonfly2
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
8f6f20b604bb540c39db5fb7020926e6db2dd9c8

Affected versions

v2.*

v2.1.0-beta.1
v2.1.0-beta.2
v2.1.0-beta.3
v2.1.0-beta.4
v2.1.0-rc.0