CVE-2025-59345 | THREATINT

Description

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The /api/v1/jobs and /preheats endpoints in Manager web UI are accessible without authentication. Any user with network access to the Manager can create, delete, and modify jobs, and create preheat jobs. An unauthenticated adversary with network access to a Manager web UI uses /api/v1/jobs endpoint to create hundreds of useless jobs. The Manager is in a denial-of-service state, and stops accepting requests from valid administrators. This vulnerability is fixed in 2.1.0.

PUBLISHED Reserved 2025-09-12 | Published 2025-09-17 | Updated 2025-10-13 | Assigner GitHub_M

HIGH: 7.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

Problem types

CWE-306: Missing Authentication for Critical Function

Product status

< 2.1.0

affected

References

github.com/...gonfly/security/advisories/GHSA-89vc-vf32-ch59

github.com/...curity/dragonfly-comprehensive-report-2023.pdf

cve.org (CVE-2025-59345)

nvd.nist.gov (CVE-2025-59345)

Download JSON