Cyber Resilience

CVE-2025-59352

Medium

Published: 17 September 2025

Published
17 September 2025
Modified
18 September 2025
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0184 83.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59352 is a medium-severity Path Traversal (CWE-22) vulnerability in Linuxfoundation Dragonfly. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 16.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to version 2.1.0, its gRPC API and HTTP APIs contain path traversal flaws (CWE-22 and CWE-202) that let any peer issue requests forcing another peer to write files to arbitrary locations on its filesystem and to read arbitrary files from it. The affected component is the peer-to-peer communication layer used for content distribution.

Any participating peer can exploit the issue without authentication to exfiltrate secret data such as credentials or tokens stored on other peers and to achieve remote code execution on those peers by writing executable content into locations that will later be run. The CVSS 4.0 score of 6.9 reflects the network-accessible attack vector combined with high impact on confidentiality, integrity, and availability of the targeted peer.

The vulnerability is fixed in Dragonfly 2.1.0. The project’s security advisory GHSA-79hx-3fp8-hj66 and the accompanying comprehensive security report both recommend upgrading immediately; no other mitigations such as network segmentation or API authentication changes are described in the references.

The EPSS score remains flat at 0.0184 with no material increase after disclosure.

EU & UK References

Vulnerability details

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the gRPC API and HTTP APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and…

more

to read arbitrary files. This allows peers to steal other peers’ secret data and to gain remote code execution (RCE) capabilities on the peer’s machine.This vulnerability is fixed in 2.1.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Arbitrary file read enables T1005 (Data from Local System) and T1081 (Credentials in Files) for stealing data/secrets. Exposed gRPC/HTTP APIs allow exploitation of the peer service (T1190) leading to arbitrary file write and RCE.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0010: AI Supply Chain CompromiseAML.T0016: Obtain CapabilitiesAML.T0024: Exfiltration via AI Inference API

CVEs Like This One

CVE-2026-24124Same product: Linuxfoundation Dragonfly
CVE-2026-33211Same vendor: Linuxfoundation
CVE-2026-27969Same vendor: Linuxfoundation
CVE-2026-35167Same vendor: Linuxfoundation
CVE-2026-41491Same vendor: Linuxfoundation
CVE-2026-37531Same vendor: Linuxfoundation
CVE-2025-51480Same vendor: Linuxfoundation
CVE-2025-68137Same vendor: Linuxfoundation
CVE-2026-33701Same vendor: Linuxfoundation
CVE-2024-24421Same vendor: Linuxfoundation

Affected Assets

linuxfoundation
dragonfly
≤ 2.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents path traversal exploits in gRPC and HTTP APIs by validating file path inputs to block arbitrary file creation and reads.

prevent

Ensures timely remediation by patching to Dragonfly 2.1.0, which fixes the specific flaw allowing arbitrary file operations.

prevent

Enforces access control policies to restrict API-mediated access to filesystem resources, mitigating unauthorized file reads and writes.

References