Home > Vulnerability Database > CVE-2025-59349

Mend.io Vulnerability Database

CVE-2025-59349

Good to know:

Date: September 17, 2025

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given directory path already exists. This allows a local attacker to create a directory to be used later by DragonFly2 with broad permissions before DragonFly2 does so, potentially allowing the attacker to tamper with the files. This vulnerability is fixed in 2.1.0.

Severity Score

4.0

Related Resources (6)

Url: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf

Url: https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-8425-8r2f-mrv6

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-59349

Url: https://github.com/dragonflyoss/dragonfly

Url: https://pkg.go.dev/vuln/GO-2025-3964

Url: https://www.mend.io/vulnerability-database/CVE-2025-59349

Severity Score

4.0

Weakness Type (CWE)

Incorrect Default Permissions

CWE-276

Incorrect Permission Assignment for Critical Resource

CWE-732

Top Fix

Upgrade Version

Upgrade to version github.com/dragonflyoss/dragonfly - v2.1.0;d7y.io/dragonfly/v2 - v2.1.0

Learn More

CVSS v3.1

Base Score:	4.0
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-59349

Good to know:

Date: September 17, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?