CVE-2025-59352
Published: 17 September 2025
Summary
CVE-2025-59352 is a critical-severity Path Traversal (CWE-22) vulnerability in Linuxfoundation Dragonfly. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 19.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents path traversal exploits in gRPC and HTTP APIs by validating file path inputs to block arbitrary file creation and reads.
Ensures timely remediation by patching to Dragonfly 2.1.0, which fixes the specific flaw allowing arbitrary file operations.
Enforces access control policies to restrict API-mediated access to filesystem resources, mitigating unauthorized file reads and writes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file read enables T1005 (Data from Local System) and T1081 (Credentials in Files) for stealing data/secrets. Exposed gRPC/HTTP APIs allow exploitation of the peer service (T1190) leading to arbitrary file write and RCE.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
NVD Description
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the gRPC API and HTTP APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and…
more
to read arbitrary files. This allows peers to steal other peers’ secret data and to gain remote code execution (RCE) capabilities on the peer’s machine.This vulnerability is fixed in 2.1.0.
Deeper analysisAI
CVE-2025-59352 affects Dragonfly, an open source P2P-based file distribution and image acceleration system, in versions prior to 2.1.0. The vulnerability resides in the gRPC API and HTTP APIs, which permit peers to send requests that compel the recipient peer to create files in arbitrary filesystem locations and read arbitrary files. This issue corresponds to CWE-22 (Path Traversal) and CWE-202 (Exposure of Sensitive Information to an Unauthorized Actor), earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.
Any remote attacker who can connect as a peer to a vulnerable Dragonfly instance can exploit this flaw without authentication, privileges, or user interaction. Successful exploitation enables arbitrary file reads, allowing theft of sensitive data such as secrets, and arbitrary file writes, which can lead to remote code execution (RCE) on the victim's machine by overwriting critical files or executables.
The vulnerability is addressed in Dragonfly version 2.1.0. Security practitioners should upgrade to this patched release immediately. Additional details are available in the official GitHub security advisory (GHSA-79hx-3fp8-hj66) and the Dragonfly comprehensive security report (docs/security/dragonfly-comprehensive-report-2023.pdf).
Details
- CWE(s)