PT-2025-38260 · Dragonfly · Dragonfly

Gaius-Qi

Published

2025-09-17

Updated

2025-10-27

CVE-2025-59349

CVSS v4.0

5.1

Medium

Vector

AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Dragonfly versions prior to 2.1.0

Description Dragonfly2 uses the os.MkdirAll function to create directory paths with specific access permissions. This function does not perform permission checks if a directory path already exists, allowing a local attacker to create a directory with broad permissions before Dragonfly2 does so, potentially enabling file tampering. An attacker with unprivileged access can introduce directories/paths with 0777 permissions before Dragonfly2 creates them, allowing deletion and forging of files in that directory.

Recommendations Upgrade to version 2.1.0 or later.

Exploit

Fix

Incorrect Permission

Incorrect Default Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-732CWE-276

Related Identifiers

CVE-2025-59349

GHSA-8425-8R2F-MRV6

GO-2025-3964

OPENSUSE-SU-2025:15576-1

SUSE-SU-2025:3799-1

Affected Products

Dragonfly

PT-2025-38260 · Dragonfly · Dragonfly

CVE-2025-59349

Weakness Enumeration

Related Identifiers

Affected Products

References · 47