CVE-2025-59352

Name of the Vulnerable Software and Affected Versions Dragonfly versions prior to 2.1.0

Description Dragonfly’s gRPC API and HTTP APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations and to read arbitrary files. This can allow peers to steal secret data and gain remote code execution (RCE) capabilities on the peer’s machine. The vulnerability is related to file handling within the os.OpenFile() and io.Copy() functions. The code snippet shows how the DataFilePath is used to open a file and how io.Copy() is used to copy data into the file, potentially allowing arbitrary file creation and modification.

Recommendations Upgrade to version 2.1.0 or later.