x/vulndb: potential Go vuln in github.com/dragonflyoss/dragonfly: GHSA-4mhv-8rh3-4ghw #3970
Description
Advisory GHSA-4mhv-8rh3-4ghw references a vulnerability in the following Go modules:
| Module |
|---|
| d7y.io/dragonfly/v2 |
| github.com/dragonflyoss/dragonfly |
Description:
Impact
We found two instances in the DragonFly codebase where the first return value of a function is dereferenced even when the function returns an error (figures 9.1 and 9.2). This can result in a nil dereference, and cause code to panic. The codebase may contain additional instances of the bug.
request, err := source.NewRequestWithContext(ctx, parentReq.Url,
parentReq.UrlMeta.Header)
if err != nil {
log.Errorf("generate url [%v] request error: %v", request.URL, err)
span.RecordError(err)
return err
}Eve is a malicious actor operating a peer machine....
References:
- ADVISORY: GHSA-4mhv-8rh3-4ghw
- ADVISORY: GHSA-4mhv-8rh3-4ghw
- WEB: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
Cross references:
- d7y.io/dragonfly/v2 appears in 1 other report(s):
- data/reports/GO-2024-3136.yaml (x/vulndb: potential Go vuln in d7y.io/dragonfly/v2: GHSA-hpc8-7wpm-889w #3136)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: d7y.io/dragonfly/v2
versions:
- fixed: 2.1.0
vulnerable_at: 2.1.0-rc.0
- module: github.com/dragonflyoss/dragonfly
vulnerable_at: 1.0.6
summary: |-
DragonFly vulnerable to panics due to nil pointer dereference when using
variables created alongside an error in d7y.io/dragonfly
cves:
- CVE-2025-59351
ghsas:
- GHSA-4mhv-8rh3-4ghw
references:
- advisory: https://github.com/advisories/GHSA-4mhv-8rh3-4ghw
- advisory: https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-4mhv-8rh3-4ghw
- web: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
source:
id: GHSA-4mhv-8rh3-4ghw
created: 2025-09-17T21:01:18.507356305Z
review_status: UNREVIEWED