Dragonfly possibly panics due to nil pointer dereference when using variables created alongside an error
Description
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the first return value of a function is dereferenced even when the function returns an error. This can result in a nil dereference, and cause code to panic. This vulnerability is fixed in 2.1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dragonfly before 2.1.0 panics when a function's return value is dereferenced even after an error, allowing a remote attacker to cause denial of service via a crafted request.
Vulnerability
Overview
CVE-2025-59351 affects Dragonfly, an open-source P2P-based file distribution and image acceleration system. In versions prior to 2.1.0, the code contains at least two instances where the first return value of a function is dereferenced even when the function returns an error [4]. This programming flaw can lead to a nil pointer dereference, causing the program to panic and crash [1][4]. The root cause is insufficient error checking before using returned pointers [4].
Exploitation
A remote attacker, acting as a peer on the Dragonfly network, can exploit this by sending a crafted dfdaemonv1.DownRequest request to another peer (e.g., Alice) [4]. When Alice's server processes the request in the dfdaemon.Download method, the vulnerable code path is triggered, resulting in a nil dereference and a panic [4]. The attack requires network access to a Dragonfly peer, but no special authentication privileges are needed.
Impact
Successful exploitation results in a denial of service (DoS) condition: the targeted Dragonfly peer process crashes [4]. This disrupts file distribution and image acceleration services provided by that peer, potentially affecting all clients relying on it. The vulnerability does not allow arbitrary code execution or data exfiltration.
Mitigation
The vulnerability is fixed in Dragonfly version 2.1.0 [1][4]. Users are advised to upgrade immediately, as there are no effective workarounds available [4]. A security audit by Trail of Bits identified this issue, and the advisory is documented in the project's GitHub security advisors [4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/dragonflyoss/dragonflyGo | < 2.1.0 | 2.1.0 |
d7y.io/dragonfly/v2Go | < 2.1.0 | 2.1.0 |
Affected products
2- Range: <2.1.0
- dragonflyoss/dragonflyv5Range: < 2.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-4mhv-8rh3-4ghwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59351ghsaADVISORY
- github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdfghsax_refsource_MISCWEB
- github.com/dragonflyoss/dragonfly/security/advisories/GHSA-4mhv-8rh3-4ghwghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2025-3970ghsaWEB
News mentions
0No linked articles in our index yet.