Dragonfly allows arbitrary file read and write on a peer machine
Description
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the gRPC API and HTTP APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal other peers’ secret data and to gain remote code execution (RCE) capabilities on the peer’s machine.This vulnerability is fixed in 2.1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dragonfly prior to 2.1.0 allows peers to create and read arbitrary files via gRPC and HTTP APIs, leading to data theft and remote code execution.
Vulnerability
CVE-2025-59352 is a vulnerability in Dragonfly, an open-source P2P-based file distribution and image acceleration system. The gRPC API and HTTP APIs in versions prior to 2.1.0 do not validate or restrict file paths provided by peer requests. This allows a malicious peer to force the recipient peer to create files in arbitrary file system locations or read arbitrary files from the recipient's machine [1].
Exploitation
An attacker can operate as a peer within the Dragonfly P2P network and send specially crafted requests to other peers. No authentication is required beyond being able to connect to a peer's API endpoints. The vulnerability exists in both the gRPC and HTTP API surfaces, giving attackers multiple vectors to exploit the flaw [1].
Impact
Successful exploitation enables the attacker to steal sensitive data from the victim peer, such as credentials or cryptographic keys, by reading arbitrary files. More critically, the ability to write files to arbitrary locations allows the attacker to achieve remote code execution (RCE) on the victim's machine, for example by overwriting executable files or writing malicious scripts to startup directories [1].
Mitigation
The issue is fixed in Dragonfly version 2.1.0. Users are strongly advised to upgrade immediately. No workarounds are documented. The vulnerability has been publicly disclosed and may be exploited in the wild [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/dragonflyoss/dragonflyGo | < 2.1.0 | 2.1.0 |
d7y.io/dragonfly/v2Go | < 2.1.0 | 2.1.0 |
Affected products
2- Range: <2.1.0
- dragonflyoss/dragonflyv5Range: < 2.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-79hx-3fp8-hj66ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59352ghsaADVISORY
- github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdfghsax_refsource_MISCWEB
- github.com/dragonflyoss/dragonfly/security/advisories/GHSA-79hx-3fp8-hj66ghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2025-3961ghsaWEB
News mentions
0No linked articles in our index yet.