CVE-2025-59349: 
vulnerability analysis and mitigation

Dragonfly, an open source P2P-based file distribution and image acceleration system, was found to have a security vulnerability in versions prior to 2.1.0. The vulnerability (CVE-2025-59349) involves DragonFly2's usage of the os.MkdirAll function for creating directory paths with specific access permissions, where the function fails to perform permission checks on pre-existing directory paths (NVD, GitHub Advisory).

The vulnerability is classified as CWE-732 (Incorrect Permission Assignment for Critical Resource). It received a CVSS v3.1 base score of 3.3 (Low) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, and a CVSS v4.0 score of 2.0 (Low) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P (NVD).

The vulnerability allows a local attacker with unprivileged access to create directories that will be used by DragonFly2 with broad permissions. This could enable the attacker to tamper with files, potentially deleting and forging files in the affected directory to manipulate the results of commands executed by legitimate users (GitHub Advisory).

The vulnerability has been fixed in DragonFly2 version 2.1.0. There are no effective workarounds available besides upgrading to the patched version (GitHub Advisory).