VDB
CVE-2025-59350
CVE-2025-59350
PUBLISHED
CVSS 2.700000047683716 LOW
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one character at a time by sending all possible characters to a vulnerable mechanism and measuring the comparison instruction’s execution times. This vulnerability is fixed in 2.1.0.
EPSS 0.15% · 35.3th percentile
Risk Scores
CVSS 4.0
2.700000047683716
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
EPSS Score
0.15%
35.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | dragonflyoss/dragonfly | 0 |
| linuxfoundation | dragonfly | 0 |
| dragonflyoss | dragonfly | < 2.1.0 |
| d7y.io | dragonfly/v2 | 0 |
Exploit Intelligence
Timeline
- Jan 21, 1970 Security Advisory
- Sep 17, 2025 CVE Published
- Sep 18, 2025 EPSS Score
- Sep 18, 2025 CVE Updated
- Sep 25, 2025 EPSS Score
- Oct 2, 2025 EPSS Score
- Oct 4, 2025 Coalition ESS Score
- Oct 6, 2025 Coalition ESS Score
- Oct 9, 2025 EPSS Score
- Oct 16, 2025 EPSS Score
- Oct 20, 2025 Coalition ESS Score
- Oct 23, 2025 EPSS Score
References
- https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-c2fc-9q9c-5486 url
- https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf url
- https://nvd.nist.gov/vuln/detail/CVE-2025-59350 advisory
- https://github.com/dragonflyoss/dragonfly package
- https://pkg.go.dev/vuln/GO-2025-3972 url