CVE-2025-59348

HIGH

Dragonfly <2.1.0 - DoS

Title source: llm

Description

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the processPieceFromSource method does not update the structure’s usedTraffic field, because an uninitialized variable n is used as a guard to the AddTraffic method call, instead of the result.Size variable. A task is processed by a peer. The usedTraffic metadata is not updated during the processing. Rate limiting is incorrectly applied, leading to a denial-of-service condition for the peer. This vulnerability is fixed in 2.1.0.

References (2)

[Product] https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf

[Patch, Third Party Advisory] https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-2qgr-gfvj-qpcr

Scores

CVSS v3 7.5

EPSS 0.0006

EPSS Percentile 19.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-457

Status published

Affected Products (3)

linuxfoundation/dragonfly < 2.1.0

dragonflyoss/dragonfly < 2.1.0Go

dragonfly/v2 < 2.1.0Go

Timeline

Published Sep 17, 2025

Tracked Since Feb 18, 2026