GHSA-4mhv-8rh3-4ghw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4mhv-8rh3-4ghw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-4mhv-8rh3-4ghw/GHSA-4mhv-8rh3-4ghw.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-4mhv-8rh3-4ghw
- Aliases
- Published
- 2025-09-17T20:10:53Z
- Modified
- 2025-09-18T13:03:59Z
- Severity
-
- 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- DragonFly vulnerable to panics due to nil pointer dereference when using variables created alongside an error
- Details
-
Impact
We found two instances in the DragonFly codebase where the first return value of a function is dereferenced even when the function returns an error (figures 9.1 and 9.2). This can result in a nil dereference, and cause code to panic. The codebase may contain additional instances of the bug.
request, err := source.NewRequestWithContext(ctx, parentReq.Url, parentReq.UrlMeta.Header) if err != nil { log.Errorf("generate url [%v] request error: %v", request.URL, err) span.RecordError(err) return err }Eve is a malicious actor operating a peer machine. She sends a dfdaemonv1.DownRequest request to her peer Alice. Alice’s machine receives the request, resolves a nil variable in the server.Download method, and panics.
Patches
- Dragonfy v2.1.0 and above.
Workarounds
There are no effective workarounds, beyond upgrading.
References
A third party security audit was performed by Trail of Bits, you can see the full report.
If you have any questions or comments about this advisory, please email us at dragonfly-maintainers@googlegroups.com.
- Database specific
{ "nvd_published_at": "2025-09-17T20:15:37Z", "severity": "MODERATE", "github_reviewed_at": "2025-09-17T20:10:53Z", "github_reviewed": true, "cwe_ids": [ "CWE-476" ] }- References
Affected packages
Go / github.com/dragonflyoss/dragonfly
Package
- Name
- github.com/dragonflyoss/dragonfly
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/dragonflyoss/dragonfly