CVE-2025-59348

HIGH

Dragonfly < 2.1.0 - Denial of Service via Uninitialized Variable in ProcessPieceFromSource

Title source: llm

Description

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the processPieceFromSource method does not update the structure’s usedTraffic field, because an uninitialized variable n is used as a guard to the AddTraffic method call, instead of the result.Size variable. A task is processed by a peer. The usedTraffic metadata is not updated during the processing. Rate limiting is incorrectly applied, leading to a denial-of-service condition for the peer. This vulnerability is fixed in 2.1.0.

References (2)

Core 2

Core References

Patch, Third Party Advisory x_refsource_confirm

https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-2qgr-gfvj-qpcr

Product x_refsource_misc

https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf

Scores

CVSS v3 7.5

EPSS 0.0033

EPSS Percentile 24.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-457

Status published

Products (3)

dragonfly/v2 0 - 2.1.0Go

dragonflyoss/dragonfly 0 - 2.1.0Go

linuxfoundation/dragonfly < 2.1.0

Published Sep 17, 2025

Tracked Since Feb 18, 2026