CVE-2025-59350

Опубликовано: 17 сент. 2025

Источник: nvd

CVSS3: 5.3

EPSS Низкий

Описание

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one character at a time by sending all possible characters to a vulnerable mechanism and measuring the comparison instruction’s execution times. This vulnerability is fixed in 2.1.0.

Ссылки

https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
Product
https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-c2fc-9q9c-5486
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:linuxfoundation:dragonfly:*:*:*:*:*:go:*:*

Версия до 2.1.0 (исключая)

EPSS

Процентиль: 24%

0.00082

Низкий

5.3 Medium

CVSS3

Дефекты

CWE-208

Связанные уязвимости

GHSA-c2fc-9q9c-5486

github

5 месяцев назад

Dragonfly vulnerable to timing attacks against Proxy’s basic authentication