CVE-2025-59346
published 2025-09-17CVE-2025-59346: Dragonfly is an open source P2P-based file distribution and image acceleration system. Versions prior to 2.1.0 contain a server-side request forgery (SSRF)…
PriorityP334medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.23%
13.8th percentile
Dragonfly is an open source P2P-based file distribution and image acceleration system. Versions prior to 2.1.0 contain a server-side request forgery (SSRF) vulnerability that enables users to force DragonFly2’s components to make requests to internal services that are otherwise not accessible to them. The issue arises because the Manager API accepts a user-supplied URL when creating a Preheat job with weak validation, peers can trigger other peers to fetch an arbitrary URL through pieceManager.DownloadSource, and internal HTTP clients follow redirects, allowing a request to a malicious server to be redirected to internal services. This can be used to probe or access internal HTTP endpoints. The vulnerability is fixed in version 2.1.0.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| d7y.io | dragonfly_v2 | >= 0 < 2.1.0 | 2.1.0 |
| dragonflyoss | dragonfly | < 2.1.0 | 2.1.0 |
| github.com | dragonflyoss_dragonfly | >= 0 < 2.1.0 | 2.1.0 |
| linuxfoundation | dragonfly | < 2.1.0 | 2.1.0 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Dragonfly vulnerable to server-side request forgery in d7y.io/dragonfly
osv·2025-09-24
CVE-2025-59346 Dragonfly vulnerable to server-side request forgery in d7y.io/dragonfly
Dragonfly vulnerable to server-side request forgery in d7y.io/dragonfly
Dragonfly vulnerable to server-side request forgery in d7y.io/dragonfly
OSV
Dragonfly vulnerable to server-side request forgery
osv·2025-09-17
CVE-2025-59346 [HIGH] Dragonfly vulnerable to server-side request forgery
Dragonfly vulnerable to server-side request forgery
### Impact
There are multiple server-side request forgery (SSRF) vulnerabilities in the DragonFly2 system. The vulnerabilities enable users to force DragonFly2’s components to make requests to internal services, which otherwise are not accessible to the users.
One SSRF attack vector is exposed by the Manager’s API. The API allows users to create jobs. When creating a Preheat type of a job, users provide a URL that the Manager connects to (see figures 2.1–2.3). The URL is weakly validated, and so users can trick the Manager into sending HTTP requests to services that are in the Manager’s local network.
```golang
func (p *preheat) CreatePreheat(ctx context.Context, schedulers []models.Scheduler,
json types.PreheatArgs) (*internaljob.Group
GHSA
Dragonfly vulnerable to server-side request forgery
ghsa·2025-09-17
CVE-2025-59346 [HIGH] CWE-918 Dragonfly vulnerable to server-side request forgery
Dragonfly vulnerable to server-side request forgery
### Impact
There are multiple server-side request forgery (SSRF) vulnerabilities in the DragonFly2 system. The vulnerabilities enable users to force DragonFly2’s components to make requests to internal services, which otherwise are not accessible to the users.
One SSRF attack vector is exposed by the Manager’s API. The API allows users to create jobs. When creating a Preheat type of a job, users provide a URL that the Manager connects to (see figures 2.1–2.3). The URL is weakly validated, and so users can trick the Manager into sending HTTP requests to services that are in the Manager’s local network.
```golang
func (p *preheat) CreatePreheat(ctx context.Context, schedulers []models.Scheduler,
json types.PreheatArgs) (*internaljob.Group
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-17
Published