CVE-2025-59349: Dragonfly's directories created via os.MkdirAll are not checked for permissions
(updated )
DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given directory path already exists. This allows a local attacker to create a directory to be used later by DragonFly2 with broad permissions before DragonFly2 does so, potentially allowing the attacker to tamper with the files.
Eve has unprivileged access to the machine where Alice uses DragonFly2. Eve watches the commands executed by Alice and introduces new directories/paths with 0777 permissions before DragonFly2 does so. Eve can then delete and forge files in that directory to change the results of further commands executed by Alice.
References
- github.com/advisories/GHSA-8425-8r2f-mrv6
- github.com/dragonflyoss/dragonfly
- github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
- github.com/dragonflyoss/dragonfly/security/advisories/GHSA-8425-8r2f-mrv6
- nvd.nist.gov/vuln/detail/CVE-2025-59349
- pkg.go.dev/vuln/GO-2025-3964
Code Behaviors & Features
Detect and mitigate CVE-2025-59349 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →