CVE-2025-59349
BaseFortify
Publication date: 2025-09-17
Last updated on: 2025-09-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | dragonfly | to 2.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Dragonfly2 versions prior to 2.1.0, where the software uses the os.MkdirAll function to create directories without checking permissions if the directory already exists. A local attacker can exploit this by pre-creating a directory with broad permissions that Dragonfly2 will later use, potentially allowing the attacker to tamper with files within that directory.
How can this vulnerability impact me? :
The vulnerability can allow a local attacker to tamper with files used by Dragonfly2 by exploiting the directory creation process. This could lead to unauthorized modification of files, potentially compromising the integrity of the system or data managed by Dragonfly2.
What immediate steps should I take to mitigate this vulnerability?
Upgrade DragonFly2 to version 2.1.0 or later, as this version contains the fix for the vulnerability related to directory creation permissions.