Dragonflyoss Dragonfly vulnerabilities
12 known vulnerabilities affecting dragonflyoss/dragonfly.
Total CVEs
12
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH2MEDIUM5LOW2
Vulnerabilities
Page 1 of 1
CVE-2026-24124P2CRITICALCVSS 9.8fixed in 2.4.1-rc.12026-01-22
CVE-2026-24124 [CRITICAL] CWE-306 CVE-2026-24124: Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2
Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with access to the Manager API to view, update and delete j
nvd
CVE-2025-59352P2CRITICALCVSS 9.8fixed in 2.1.02025-09-17
CVE-2025-59352 [CRITICAL] CWE-22 CVE-2025-59352: Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the gRPC API and HTTP APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal other peers’ secret data and to gain remote code exec
nvd
CVE-2025-59345P3CRITICALCVSS 9.1fixed in 2.1.02025-09-17
CVE-2025-59345 [CRITICAL] CWE-306 CVE-2025-59345: Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The /api/v1/jobs and /preheats endpoints in Manager web UI are accessible without authentication. Any user with network access to the Manager can create, delete, and modify jobs, and create preheat jobs. An unauthenticated adversary with network
nvd
CVE-2025-59353P3HIGHCVSS 7.5fixed in 2.1.02025-09-17
CVE-2025-59353 [HIGH] CWE-295 CVE-2025-59353: Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, a peer can obtain a valid TLS certificate for arbitrary IP addresses, effectively rendering the mTLS authentication useless. The issue is that the Manager’s Certificate gRPC service does not validate if the requested IP addresses “belong to” the peer
nvd
CVE-2025-59348P3HIGHCVSS 7.5fixed in 2.1.02025-09-17
CVE-2025-59348 [HIGH] CWE-457 CVE-2025-59348: Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the processPieceFromSource method does not update the structure’s usedTraffic field, because an uninitialized variable n is used as a guard to the AddTraffic method call, instead of the result.Size variable. A task is processed by a peer. The usedTra
nvd
CVE-2025-59347P3MEDIUMCVSS 6.5fixed in 2.1.02025-09-17
CVE-2025-59347 [MEDIUM] CWE-295 CVE-2025-59347: Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The Manager disables TLS certificate verification in HTTP clients. The clients are not configurable, so users have no way to re-enable the verification. A Manager processes dozens of preheat jobs. An adversary performs a network-level Man-in-the-Mi
nvd
CVE-2025-59346P3MEDIUMCVSS 5.3fixed in 2.1.02025-09-17
CVE-2025-59346 [MEDIUM] CWE-918 CVE-2025-59346: Dragonfly is an open source P2P-based file distribution and image acceleration system. Versions prio
Dragonfly is an open source P2P-based file distribution and image acceleration system. Versions prior to 2.1.0 contain a server-side request forgery (SSRF) vulnerability that enables users to force DragonFly2’s components to make requests to internal services that are otherwise not accessible to them. The issue arises because the Manager API accepts
nvd
CVE-2025-59350P4MEDIUMCVSS 5.3fixed in 2.1.02025-09-17
CVE-2025-59350 [MEDIUM] CWE-208 CVE-2025-59350: Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one character at a time by sending all possible characters to a vulnerable me
nvd
CVE-2025-59354P4MEDIUMCVSS 5.3fixed in 2.1.02025-09-17
CVE-2025-59354 [MEDIUM] CWE-328 CVE-2025-59354: Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the DragonFly2 uses a variety of hash functions, including the MD5 hash, for downloaded files. This allows attackers to replace files with malicious ones that have a colliding hash. This vulnerability is fixed in 2.1.0.
nvd
CVE-2025-59351P4MEDIUMCVSS 5.3fixed in 2.1.02025-09-17
CVE-2025-59351 [MEDIUM] CWE-476 CVE-2025-59351: Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the first return value of a function is dereferenced even when the function returns an error. This can result in a nil dereference, and cause code to panic. This vulnerability is fixed in 2.1.0.
nvd
CVE-2025-59410P4LOWCVSS 3.7fixed in 2.1.02025-09-17
CVE-2025-59410 [LOW] CWE-311 CVE-2025-59410: Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the code in the scheduler for downloading a tiny file is hard coded to use the HTTP protocol, rather than HTTPS. This means that an attacker could perform a Man-in-the-Middle attack, changing the network request so that a different piece of data gets
nvd
CVE-2025-59349P4LOWCVSS 3.3fixed in 2.1.02025-09-17
CVE-2025-59349 [LOW] CWE-732 CVE-2025-59349: Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given directory path already exists. This allows a local attacker to create a dire
nvd