CVE-2025-59351

Description

### Impact We found two instances in the DragonFly codebase where the first return value of a function is dereferenced even when the function returns an error (figures 9.1 and 9.2). This can result in a nil dereference, and cause code to panic. The codebase may contain additional instances of the bug. ```golang request, err := source.NewRequestWithContext(ctx, parentReq.Url, parentReq.UrlMeta.Header) if err != nil { log.Errorf("generate url [%v] request error: %v", request.URL, err) span.RecordError(err) return err } ``` Eve is a malicious actor operating a peer machine. She sends a dfdaemonv1.DownRequest request to her peer Alice. Alice’s machine receives the request, resolves a nil variable in the server.Download method, and panics. ### Patches - Dragonfy v2.1.0 and above. ### Workarounds There are no effective workarounds, beyond upgrading. ### References A third party security audit was performed by Trail of Bits, you can see the [full report](https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf). If you have any questions or comments about this advisory, please email us at [[email protected]](mailto:[email protected]).

Affected packages (4)

• Go/d7y.io/dragonfly/v2from 0, < 2.1.0
• Go/d7y.io/dragonfly/v2from 0, < 2.1.0
• Go/github.com/dragonflyoss/dragonflyfrom 0, < 2.1.0
• Go/github.com/dragonflyoss/dragonflyfrom 0

CVSS scores

References (5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-59351
• PATCHhttps://github.com/dragonflyoss/dragonfly
• WEBhttps://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
• WEBhttps://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-4mhv-8rh3-4ghw
• WEBhttps://pkg.go.dev/vuln/GO-2025-3970