CVE-2025-59351
published 2025-09-17CVE-2025-59351: Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the first return value of a function is dereferenced…
PriorityP428medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.29%
21.0th percentile
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the first return value of a function is dereferenced even when the function returns an error. This can result in a nil dereference, and cause code to panic. This vulnerability is fixed in 2.1.0.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| d7y.io | dragonfly_v2 | >= 0 < 2.1.0 | 2.1.0 |
| dragonflyoss | dragonfly | < 2.1.0 | 2.1.0 |
| github.com | dragonflyoss_dragonfly | >= 0 < 2.1.0 | 2.1.0 |
| linuxfoundation | dragonfly | < 2.1.0 | 2.1.0 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
nvdv4.02.7LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
DragonFly vulnerable to panics due to nil pointer dereference when using variables created alongside an error in d7y.io/dragonfly
osv·2025-09-24
CVE-2025-59351 DragonFly vulnerable to panics due to nil pointer dereference when using variables created alongside an error in d7y.io/dragonfly
DragonFly vulnerable to panics due to nil pointer dereference when using variables created alongside an error in d7y.io/dragonfly
DragonFly vulnerable to panics due to nil pointer dereference when using variables created alongside an error in d7y.io/dragonfly
GHSA
DragonFly vulnerable to panics due to nil pointer dereference when using variables created alongside an error
ghsa·2025-09-17
CVE-2025-59351 [MEDIUM] CWE-476 DragonFly vulnerable to panics due to nil pointer dereference when using variables created alongside an error
DragonFly vulnerable to panics due to nil pointer dereference when using variables created alongside an error
### Impact
We found two instances in the DragonFly codebase where the first return value of a function is dereferenced even when the function returns an error (figures 9.1 and 9.2). This can result in a nil dereference, and cause code to panic. The codebase may contain additional instances of the bug.
```golang
request, err := source.NewRequestWithContext(ctx, parentReq.Url,
parentReq.UrlMeta.Header)
if err != nil {
log.Errorf("generate url [%v] request error: %v", request.URL, err)
span.RecordError(err)
return err
}
```
Eve is a malicious actor operating a peer machine. She sends a dfdaemonv1.DownRequest request to her peer Alice. Alice’s machine receives the request, resolves
OSV
DragonFly vulnerable to panics due to nil pointer dereference when using variables created alongside an error
osv·2025-09-17
CVE-2025-59351 [MEDIUM] DragonFly vulnerable to panics due to nil pointer dereference when using variables created alongside an error
DragonFly vulnerable to panics due to nil pointer dereference when using variables created alongside an error
### Impact
We found two instances in the DragonFly codebase where the first return value of a function is dereferenced even when the function returns an error (figures 9.1 and 9.2). This can result in a nil dereference, and cause code to panic. The codebase may contain additional instances of the bug.
```golang
request, err := source.NewRequestWithContext(ctx, parentReq.Url,
parentReq.UrlMeta.Header)
if err != nil {
log.Errorf("generate url [%v] request error: %v", request.URL, err)
span.RecordError(err)
return err
}
```
Eve is a malicious actor operating a peer machine. She sends a dfdaemonv1.DownRequest request to her peer Alice. Alice’s machine receives the request, resolves
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-17
Published