CVE-2025-59352
Published: 17 September 2025
Summary
CVE-2025-59352 is a medium-severity Path Traversal (CWE-22) vulnerability in Linuxfoundation Dragonfly. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 16.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to version 2.1.0, its gRPC API and HTTP APIs contain path traversal flaws (CWE-22 and CWE-202) that let any peer issue requests forcing another peer to write files to arbitrary locations on its filesystem and to read arbitrary files from it. The affected component is the peer-to-peer communication layer used for content distribution.
Any participating peer can exploit the issue without authentication to exfiltrate secret data such as credentials or tokens stored on other peers and to achieve remote code execution on those peers by writing executable content into locations that will later be run. The CVSS 4.0 score of 6.9 reflects the network-accessible attack vector combined with high impact on confidentiality, integrity, and availability of the targeted peer.
The vulnerability is fixed in Dragonfly 2.1.0. The project’s security advisory GHSA-79hx-3fp8-hj66 and the accompanying comprehensive security report both recommend upgrading immediately; no other mitigations such as network segmentation or API authentication changes are described in the references.
The EPSS score remains flat at 0.0184 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-29768
Vulnerability details
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the gRPC API and HTTP APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and…
more
to read arbitrary files. This allows peers to steal other peers’ secret data and to gain remote code execution (RCE) capabilities on the peer’s machine.This vulnerability is fixed in 2.1.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file read enables T1005 (Data from Local System) and T1081 (Credentials in Files) for stealing data/secrets. Exposed gRPC/HTTP APIs allow exploitation of the peer service (T1190) leading to arbitrary file write and RCE.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents path traversal exploits in gRPC and HTTP APIs by validating file path inputs to block arbitrary file creation and reads.
Ensures timely remediation by patching to Dragonfly 2.1.0, which fixes the specific flaw allowing arbitrary file operations.
Enforces access control policies to restrict API-mediated access to filesystem resources, mitigating unauthorized file reads and writes.