CVE-2025-59349 is a vulnerability identified in the Dragonfly open source project, a peer-to-peer (P2P) based file distribution and image acceleration system. The issue exists in versions prior to 2.1.0 and relates to incorrect permission assignment for critical resources, specifically directories created by the software. Dragonfly2 uses the Go language function os.MkdirAll to create directory paths with intended specific access permissions. However, os.MkdirAll does not verify or enforce permissions if the directory already exists. This behavior allows a local attacker to pre-create directories with overly permissive access rights before Dragonfly2 attempts to create them. Consequently, the attacker can manipulate or tamper with files within these directories, potentially compromising the integrity of the data managed by Dragonfly. The vulnerability is classified under CWE-732, which concerns improper permission assignment for critical resources. The CVSS 4.0 base score is 2.0, indicating a low severity level, primarily because exploitation requires local access, no privileges, and no user interaction, and the impact is limited to integrity with no confidentiality or availability impact. No known exploits are reported in the wild, and the issue is fixed in Dragonfly version 2.1.0. This vulnerability highlights the risks of relying on directory creation functions that do not validate existing permissions, especially in software managing critical file distribution tasks.

For European organizations using Dragonfly versions prior to 2.1.0, this vulnerability could allow a local attacker—such as a malicious insider or an attacker who has gained limited local access—to tamper with files distributed or cached by Dragonfly. This could undermine the integrity of software images or files distributed across internal networks or cloud environments, potentially leading to deployment of altered or malicious content. While the vulnerability does not directly impact confidentiality or availability, the integrity compromise could have downstream effects, such as introducing backdoors or corrupted files into production environments. Organizations relying on Dragonfly for critical infrastructure or software delivery pipelines may face risks to operational reliability and trustworthiness of distributed content. However, the low CVSS score and requirement for local access limit the scope of impact, making remote exploitation or widespread disruption unlikely. Nonetheless, in environments with shared systems or multi-tenant setups, the risk of privilege escalation or lateral movement through tampered files should be considered.

European organizations should upgrade Dragonfly to version 2.1.0 or later, where this vulnerability is fixed. Until upgrading is possible, organizations should implement strict local access controls to limit who can create or modify directories used by Dragonfly. File system monitoring and integrity checking tools can be deployed to detect unauthorized changes to directories and files managed by Dragonfly. Additionally, running Dragonfly processes with the least privilege necessary and isolating them in containers or sandboxed environments can reduce the risk of local tampering. Administrators should audit existing directory permissions to ensure no overly permissive directories exist that could be exploited. Incorporating automated deployment pipelines with cryptographic verification of distributed files can help detect tampering resulting from this vulnerability. Finally, organizations should educate local users about the risks of unauthorized directory creation and monitor logs for suspicious local activity related to Dragonfly directories.