CVE-2025-59349

Опубликовано: 17 сент. 2025

Источник: nvd

CVSS3: 3.3

EPSS Низкий

Описание

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given directory path already exists. This allows a local attacker to create a directory to be used later by DragonFly2 with broad permissions before DragonFly2 does so, potentially allowing the attacker to tamper with the files. This vulnerability is fixed in 2.1.0.

Ссылки

https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
Product
https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-8425-8r2f-mrv6
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:linuxfoundation:dragonfly:*:*:*:*:*:go:*:*

Версия до 2.1.0 (исключая)

EPSS

Процентиль: 5%

0.00022

Низкий

3.3 Low

CVSS3

Дефекты

CWE-732

Связанные уязвимости

GHSA-8425-8r2f-mrv6

github

5 месяцев назад

Dragonfly's directories created via os.MkdirAll are not checked for permissions