CVE-2025-59352
📋 TL;DR
This vulnerability in Dragonfly allows peers to create or read arbitrary files on other peers' systems via gRPC and HTTP APIs, enabling data theft and remote code execution. It affects all Dragonfly users running versions prior to 2.1.0. Attackers can exploit this to compromise peer machines and steal sensitive information.
💻 Affected Systems
- Dragonfly
📦 What is this software?
Dragonfly by Linuxfoundation
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via remote code execution, leading to data exfiltration, malware deployment, or lateral movement within the network.
Likely Case
Unauthorized file access and potential data theft, with possible RCE if attackers can write executable files to sensitive locations.
If Mitigated
Limited impact if network segmentation or strict access controls prevent peer-to-peer exploitation, but risk remains if vulnerable versions are exposed.
🎯 Exploit Status
Exploitation is straightforward as it involves sending crafted requests to the APIs, with no authentication required, making it easy for attackers to leverage.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.0
Vendor Advisory: https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-79hx-3fp8-hj66
Restart Required: Yes
Instructions:
1. Backup your Dragonfly configuration and data. 2. Stop the Dragonfly service. 3. Update Dragonfly to version 2.1.0 or later using your package manager or by downloading from the official repository. 4. Restart the Dragonfly service. 5. Verify the update by checking the version and monitoring for any issues.
🔧 Temporary Workarounds
Restrict API Access
linuxLimit network access to Dragonfly's gRPC and HTTP APIs using firewall rules to only trusted peers or internal networks.
iptables -A INPUT -p tcp --dport <API_PORT> -s <TRUSTED_IP> -j ACCEPT
iptables -A INPUT -p tcp --dport <API_PORT> -j DROP
Disable Unused APIs
allIf gRPC or HTTP APIs are not required, disable them in the Dragonfly configuration to reduce attack surface.
Edit Dragonfly config file to set 'enableGRPC: false' and 'enableHTTP: false' or similar settings
🧯 If You Can't Patch
- Isolate Dragonfly peers in a segmented network to limit exposure and prevent external or unauthorized access.
- Implement strict file system permissions and monitoring to detect and block unauthorized file creation or access attempts.
🔍 How to Verify
Check if Vulnerable:
Check the Dragonfly version; if it is below 2.1.0, it is vulnerable. Use 'dragonfly --version' or inspect the service logs for version information.Check Version:
dragonfly --versionVerify Fix Applied:
After updating, confirm the version is 2.1.0 or higher using the version check command, and test API endpoints to ensure they no longer allow arbitrary file operations.📡 Detection & Monitoring
Log Indicators:
- Unusual file creation or access logs in Dragonfly or system logs, especially from unexpected IP addresses or peer IDs.
- Errors or warnings related to API requests attempting to access restricted file paths.
Network Indicators:
- Suspicious traffic to Dragonfly gRPC or HTTP ports from untrusted sources, with patterns of repeated file-related requests.
SIEM Query:
source="dragonfly.log" AND (event="file_creation" OR event="file_access") AND path CONTAINS "/etc/" OR path CONTAINS "/root/"