CVE-2025-59352

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-59352

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59352.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-59352

Aliases

GHSA-79hx-3fp8-hj66

Published

2025-09-17T20:15:37Z

Modified

2025-09-20T05:47:39.964351Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the gRPC API and HTTP APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal other peers’ secret data and to gain remote code execution (RCE) capabilities on the peer’s machine.This vulnerability is fixed in 2.1.0.

References

Affected packages

Git / github.com/dragonflyoss/dragonfly2

Affected ranges

Type: GIT
Repo: https://github.com/dragonflyoss/dragonfly2
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

8f6f20b604bb540c39db5fb7020926e6db2dd9c8

Affected versions

v2.*

v2.1.0-beta.1

v2.1.0-beta.2

v2.1.0-beta.3

v2.1.0-beta.4

v2.1.0-rc.0