CVE-2025-59352: 
vulnerability analysis and mitigation

Dragonfly, an open source P2P-based file distribution and image acceleration system, was found to contain a critical vulnerability (CVE-2025-59352) affecting versions prior to 2.1.0. The vulnerability was discovered and disclosed on September 17, 2025, impacting the gRPC API and HTTP APIs that allow peers to interact with each other (GitHub Advisory).

The vulnerability exists in the peer-to-peer communication APIs where peers can send requests that force the recipient peer to create files in arbitrary file system locations and read arbitrary files. The issue stems from insufficient validation of file system operations in the API implementation. The vulnerability has received a CVSS v3.1 base score of 9.8 CRITICAL, with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows malicious peers to steal other peers' secret data and potentially gain remote code execution (RCE) capabilities on the peer's machine. This presents a severe security risk as it could lead to unauthorized access to sensitive information and complete system compromise (GitHub Advisory).

The vulnerability has been fixed in Dragonfly version 2.1.0. There are no effective workarounds available beyond upgrading to the patched version. Users are strongly advised to upgrade to version 2.1.0 or later to address this security issue (GitHub Advisory).