CVE-2025-59352

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-59352
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59352.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-59352
Aliases
Downstream
Related
Published
2025-09-17T19:50:38Z
Modified
2025-10-28T20:44:49.859211Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P CVSS Calculator
Summary
Dragonfly allows arbitrary file read and write on a peer machine
Details

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the gRPC API and HTTP APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal other peers’ secret data and to gain remote code execution (RCE) capabilities on the peer’s machine.This vulnerability is fixed in 2.1.0.

Database specific 
{
    "cwe_ids": [
        "CWE-202",
        "CWE-22"
    ]
}
References

Affected packages

Git / github.com/dragonflyoss/dragonfly

Affected ranges

Type
GIT
Repo
https://github.com/dragonflyoss/dragonfly
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
8f6f20b604bb540c39db5fb7020926e6db2dd9c8
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.1.0"
        }
    ]
}

Affected versions

v2.*

v2.1.0-beta.1
v2.1.0-beta.2
v2.1.0-beta.3
v2.1.0-beta.4
v2.1.0-rc.0

Git / github.com/dragonflyoss/dragonfly2

Affected ranges

Type
GIT
Repo
https://github.com/dragonflyoss/dragonfly2
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
8f6f20b604bb540c39db5fb7020926e6db2dd9c8

Affected versions

v2.*

v2.1.0-beta.1
v2.1.0-beta.2
v2.1.0-beta.3
v2.1.0-beta.4
v2.1.0-rc.0