CVE-2025-59349

Description

Dragonfly's directories created via os.MkdirAll are not checked for permissions in d7y.io/dragonfly

How to fix CVE-2025-59349

To remediate CVE-2025-59349, upgrade the affected package to a fixed version below.

• Go/d7y.io/dragonfly/v2—upgrade to 2.1.0 or later
• Go/d7y.io/dragonfly/v2—upgrade to 2.1.0 or later
• Go/github.com/dragonflyoss/dragonfly—upgrade to 2.1.0 or later
• —no fix listed

Is CVE-2025-59349 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 2.1.0
• from 0, < 2.1.0
• from 0, < 2.1.0
• from 0

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-59349
• PATCHgithub.com/dragonflyoss/dragonfly
• WEBgithub.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
• WEBgithub.com/dragonflyoss/dragonfly/security/advisories/GHSA-8425-8r2f-mrv6