CVE-2025-59352

CRITICAL

Dragonfly < 2.1.0 - Path Traversal and Remote Code Execution via gRPC and HTTP APIs

Title source: llm

Description

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the gRPC API and HTTP APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal other peers’ secret data and to gain remote code execution (RCE) capabilities on the peer’s machine.This vulnerability is fixed in 2.1.0.

References (2)

Core 2

Core References

Patch, Third Party Advisory x_refsource_confirm

https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-79hx-3fp8-hj66

Product x_refsource_misc

https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf

Scores

CVSS v3 9.8

EPSS 0.0152

EPSS Percentile 81.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-22 CWE-202

Status published

Products (3)

dragonfly/v2 0 - 2.1.0Go

dragonflyoss/dragonfly 0 - 2.1.0Go

linuxfoundation/dragonfly < 2.1.0

Published Sep 17, 2025

Tracked Since Feb 18, 2026