How to fix CVE-2025-59349?

During next maintenance window: Apply vendor patches when convenient. Verify incorrect permissions controls are in place.

Is Dragonfly affected by CVE-2025-59349?

CVE-2025-59349 is a low-severity vulnerability in Dragonfly involving incorrect permissions (CVSS 2.0). The limited severity suggests constrained impact, typically requiring specific conditions or local access for exploitation.

CVE-2025-59349

LOW

2025-09-17 [email protected]

2.0

CVSS 4.0

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:12 vuln.today

Patch Released

Mar 28, 2026 - 19:12 nvd

Patch available

CVE Published

Sep 17, 2025 - 20:15 nvd

LOW 2.0

Description

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given directory path already exists. This allows a local attacker to create a directory to be used later by DragonFly2 with broad permissions before DragonFly2 does so, potentially allowing the attacker to tamper with the files. This vulnerability is fixed in 2.1.0.

Analysis

Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated low severity (CVSS 2.0), this vulnerability is no authentication required, low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.

Technical Context

This vulnerability is classified as Incorrect Permission Assignment (CWE-732), which allows attackers to access resources due to misconfigured permissions. Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given directory path already exists. This allows a local attacker to create a directory to be used later by DragonFly2 with broad permissions before DragonFly2 does so, potentially allowing the attacker to tamper with the files. This vulnerability is fixed in 2.1.0. Affected products include: Linuxfoundation Dragonfly. Version information: Prior to 2.1.0.

Affected Products

Linuxfoundation Dragonfly.

Remediation

A vendor patch is available. Apply the latest security update as soon as possible. Review and restrict file/resource permissions, apply principle of least privilege.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +10

POC: 0

CVE-2025-59349 vulnerability details – vuln.today

Back

CVE-2025-59349

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-59349

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code