CNNVD-202509-2672 Information

Sep 17, 2025 cve

CNNVD ID

CNNVD-202509-2672

CVE-2025-59352

  • CNNVD Published: 2025-09-17

Description (Chinese)

Dragonfly是DragonflyDB开源的一个框架,可以对任何内容类型进行动态处理。 Dragonfly 2.1.0之前版本存在安全漏洞,该漏洞源于gRPC API和HTTP API允许对等节点发送请求强制接收节点在任意文件系统位置创建文件和读取任意文件,可能导致窃取其他对等节点的秘密数据和在目标机器上执行远程代码。

Description (English)

Dragonfly is an open-source framework for DragonflyDB that can dynamically process any type of content. There was a security loophole in the pre-Dragonfly 2.1.0 version, which originated from the fact that gRPC API and HTTP API allowed reciprocal nodes to send requests for mandatory receiving nodes to create and read any file at any file system location, which could lead to the theft of secret data from other peer nodes and the implementation of remote codes on target machines.

Hazard Level

High

Vulnerability Type

其他

Affected Vendor

如梦技术

Published

2025-09-17

Last Modified

2026-02-24

References

https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-79hx-3fp8-hj66

Patch

https://d7y.io/

Share on: