CVE-2025-59352CRITICAL 9.8EPSS p47.5%

CVE-2025-59352CVE-2025-59352

Description

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the gRPC API and HTTP APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal other peers’ secret data and to gain remote code execution (RCE) capabilities on the peer’s machine.This vulnerability is fixed in 2.1.0.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.68% probability of exploitation · percentile 47.5% · 2026-06-19T12:03:05Z
Published2025-09-17
Last modified2025-09-18

Underlying weaknesses· 2

CWE-22CWE-202

References

  1. https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
  2. https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-79hx-3fp8-hj66

2

TypeTargetConfidenceTier
WeaknessExposure of Sensitive Information Through Data Queriescwe-2020%live
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-59345
CVE
CVE-2026-24124
CVE
CVE-2026-27476
CVE
CVE-2025-68705
CVE
CVE-2026-50590
CVE
CVE-2025-14532
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.