Directories created via os.MkdirAll are not checked for permissions
Description
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given directory path already exists. This allows a local attacker to create a directory to be used later by DragonFly2 with broad permissions before DragonFly2 does so, potentially allowing the attacker to tamper with the files. This vulnerability is fixed in 2.1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dragonfly2's os.MkdirAll usage without permission checks allows local attackers to pre-create directories with broad permissions, enabling file tampering. Fixed in v2.1.0.
Vulnerability
Description
Dragonfly2, an open source P2P-based file distribution and image acceleration system, contains a vulnerability in how it creates directory paths. Prior to version 2.1.0, the system uses the os.MkdirAll function to create directories with specific permissions. However, os.MkdirAll does not check permissions on existing directories, so if a directory already exists, it retains its original permissions [1] [4].
Exploitation
A local attacker with unprivileged access to the machine can exploit this by monitoring the filesystem and pre-creating the directories that Dragonfly2 will later create, assigning them broad permissions (e.g., 0777). This race condition allows the attacker to control the directory's permissions before Dragonfly2 uses it [1] [4].
Impact
Once the directory is created with broad permissions, the attacker can delete or forge files within that directory, potentially altering the results of Dragonfly2 commands and tampering with file distribution or image acceleration processes. This could lead to data integrity issues or further compromise of the system [1] [4].
Mitigation
The vulnerability is fixed in Dragonfly2 version 2.1.0 and above. Users should upgrade to this version as there are no effective workarounds [1] [4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/dragonflyoss/dragonflyGo | < 2.1.0 | 2.1.0 |
d7y.io/dragonfly/v2Go | < 2.1.0 | 2.1.0 |
Affected products
2- Range: <2.1.0
- dragonflyoss/dragonflyv5Range: < 2.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-8425-8r2f-mrv6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59349ghsaADVISORY
- github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdfghsax_refsource_MISCWEB
- github.com/dragonflyoss/dragonfly/security/advisories/GHSA-8425-8r2f-mrv6ghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2025-3964ghsaWEB
News mentions
0No linked articles in our index yet.