x/vulndb: potential Go vuln in github.com/dragonflyoss/dragonfly: GHSA-8425-8r2f-mrv6 #3964
Description
Advisory GHSA-8425-8r2f-mrv6 references a vulnerability in the following Go modules:
| Module |
|---|
| d7y.io/dragonfly/v2 |
| github.com/dragonflyoss/dragonfly |
Description:
Impact
DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given directory path already exists. This allows a local attacker to create a directory to be used later by DragonFly2 with broad permissions before DragonFly2 does so, potentially allowing the attacker to tamper with the files.
Eve has unprivileged access to the machine where Alice uses DragonFly2. Eve watches the commands executed by Alice and introduces new directories/paths with 0777 permissions before DragonFl...
References:
- ADVISORY: GHSA-8425-8r2f-mrv6
- ADVISORY: GHSA-8425-8r2f-mrv6
- WEB: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
Cross references:
- d7y.io/dragonfly/v2 appears in 1 other report(s):
- data/reports/GO-2024-3136.yaml (x/vulndb: potential Go vuln in d7y.io/dragonfly/v2: GHSA-hpc8-7wpm-889w #3136)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: d7y.io/dragonfly/v2
versions:
- fixed: 2.1.0
vulnerable_at: 2.1.0-rc.0
- module: github.com/dragonflyoss/dragonfly
vulnerable_at: 1.0.6
summary: Dragonfly's directories created via os.MkdirAll are not checked for permissions in d7y.io/dragonfly
cves:
- CVE-2025-59349
ghsas:
- GHSA-8425-8r2f-mrv6
references:
- advisory: https://github.com/advisories/GHSA-8425-8r2f-mrv6
- advisory: https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-8425-8r2f-mrv6
- web: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
source:
id: GHSA-8425-8r2f-mrv6
created: 2025-09-17T20:01:17.930441864Z
review_status: UNREVIEWED