CVE-2025-59345
published 2025-09-17CVE-2025-59345: Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The /api/v1/jobs and /preheats endpoints in Manager web…
PriorityP359critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EPSS
0.36%
28.0th percentile
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The /api/v1/jobs and /preheats endpoints in Manager web UI are accessible without authentication. Any user with network access to the Manager can create, delete, and modify jobs, and create preheat jobs. An unauthenticated adversary with network access to a Manager web UI uses /api/v1/jobs endpoint to create hundreds of useless jobs. The Manager is in a denial-of-service state, and stops accepting requests from valid administrators. This vulnerability is fixed in 2.1.0.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| d7y.io | dragonfly_v2 | >= 0 < 2.1.0 | 2.1.0 |
| dragonflyoss | dragonfly | < 2.1.0 | 2.1.0 |
| github.com | dragonflyoss_dragonfly | >= 0 < 2.1.0 | 2.1.0 |
| linuxfoundation | dragonfly | < 2.1.10 | 2.1.10 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Dragonfly doesn't have authentication enabled for some Manager’s endpoints in d7y.io/dragonfly
osv·2025-09-24
CVE-2025-59345 Dragonfly doesn't have authentication enabled for some Manager’s endpoints in d7y.io/dragonfly
Dragonfly doesn't have authentication enabled for some Manager’s endpoints in d7y.io/dragonfly
Dragonfly doesn't have authentication enabled for some Manager’s endpoints in d7y.io/dragonfly
GHSA
Dragonfly doesn't have authentication enabled for some Manager’s endpoints
ghsa·2025-09-17
CVE-2025-59345 [HIGH] CWE-287 Dragonfly doesn't have authentication enabled for some Manager’s endpoints
Dragonfly doesn't have authentication enabled for some Manager’s endpoints
### Impact
The /api/v1/jobs and /preheats endpoints in Manager web UI are accessible without authentication. Any user with network access to the Manager can create, delete, and modify jobs, and create preheat jobs.
An unauthenticated adversary with network access to a Manager web UI uses /api/v1/jobs endpoint to create hundreds of useless jobs. The Manager is in a denial-of-service state, and stops accepting requests from valid administrators.
### Patches
- Dragonfy v2.1.0 and above.
### Workarounds
There are no effective workarounds, beyond upgrading.
### References
A third party security audit was performed by Trail of Bits, you can see the [full report](https://github.com/dragonflyoss/dragonfly/blob/main/
OSV
Dragonfly doesn't have authentication enabled for some Manager’s endpoints
osv·2025-09-17
CVE-2025-59345 [HIGH] Dragonfly doesn't have authentication enabled for some Manager’s endpoints
Dragonfly doesn't have authentication enabled for some Manager’s endpoints
### Impact
The /api/v1/jobs and /preheats endpoints in Manager web UI are accessible without authentication. Any user with network access to the Manager can create, delete, and modify jobs, and create preheat jobs.
An unauthenticated adversary with network access to a Manager web UI uses /api/v1/jobs endpoint to create hundreds of useless jobs. The Manager is in a denial-of-service state, and stops accepting requests from valid administrators.
### Patches
- Dragonfy v2.1.0 and above.
### Workarounds
There are no effective workarounds, beyond upgrading.
### References
A third party security audit was performed by Trail of Bits, you can see the [full report](https://github.com/dragonflyoss/dragonfly/blob/main/
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-17
Published