GO-2025-3971 DragonFly vulnerable to arbitrary file read and write on a peer machine in d7y.io/dragonfly

DragonFly vulnerable to arbitrary file read and write on a peer machine in d7y.io/dragonfly...

Incorrect Permission Assignment for Critical Resource

Overview Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource due to using os.MkdirAll function which does not perform any permission checks when a given directory path already exists. An attacker can gain unauthorized access or modify files by...

Dragonfly vulnerable to timing attacks against Proxy’s basic authentication

Impact The access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one character at a time by sending all possible characters to a vulnerable mechanism and measuring the comparison...

CVE-2025-59352

Dragonfly CVE-2025-59352 affects the Dragonfly open source P2P file distribution and image acceleration system. Prior to version 2.1.0, the gRPC API and HTTP APIs allow peers to request actions that force the recipient to create files in arbitrary filesystem locations and to read arbitrary files,...

CVE-2025-59352 Dragonfly allows arbitrary file read and write on a peer machine

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the gRPC API and HTTP APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal...

Use of Uninitialized Variable

Overview Affected versions of this package are vulnerable to Use of Uninitialized Variable due to improper handling of the usedTraffic field in the processPieceFromSource method. An attacker can cause service disruption for a peer by exploiting incorrect rate limiting during task processing...

CVE-2025-59348

CVE-2025-59348 affects Dragonfly, an open-source P2P file distribution and image acceleration system. The vulnerability lies in the processPieceFromSource method, where an uninitialized variable n is used as a guard for the AddTraffic call instead of the actual result.Size, causing the structure’...

Dragonfly 安全漏洞

Dragonfly is an open source framework from DragonflyDB that allows dynamic processing of any content type. A security vulnerability exists in Dragonfly versions prior to 2.1.0, which stems from a hard-coded use of the HTTP protocol instead of HTTPS when downloading small files in the scheduler...

PT-2025-38273

Name of the Vulnerable Software and Affected Versions Dragonfly versions prior to 2.1.0 Description Dragonfly2 uses the MD5 hash function for downloaded files, which does not provide collision resistance. This allows attackers to replace files with malicious ones that have a colliding hash. An...

PT-2025-38254

Name of the Vulnerable Software and Affected Versions Dragonfly versions prior to 2.1.0 Description Dragonfly is a P2P-based file distribution and image acceleration system susceptible to a server-side request forgery SSRF vulnerability. This flaw allows users to force Dragonfly2’s components to...

Dragonfly 安全漏洞

Dragonfly is an open source framework from DragonflyDB that allows dynamic processing of any content type. A security vulnerability exists in Dragonfly versions prior to 2.1.0, which stems from the Manager's Certificate gRPC service not verifying that the requesting IP address belongs to the peer...

Dragonfly 安全漏洞

Dragonfly is an open source framework from DragonflyDB that allows dynamic processing of any content type. A security vulnerability exists in Dragonfly versions prior to 2.1.0 that stems from a gRPC API and HTTP API that allows a peer node to send a request to force a receiving node to create a...

Dragonfly 安全漏洞

Dragonfly is an open source framework from DragonflyDB that allows dynamic processing of any content type. A security vulnerability exists in Dragonfly versions prior to 2.1.0 that stems from the os.MkdirAll function not performing permission checks on existing directory paths, which could lead t...

Dragonfly 安全漏洞

Dragonfly is an open source framework from DragonflyDB that allows dynamic processing of any content type. A security vulnerability exists in Dragonfly versions prior to 1.27.0 that stems from not checking the validity of a scan cursor, which could lead to a denial of service attack...

Arbitrary Code Execution

Overview Affected versions of this package are vulnerable to Arbitrary Code Execution via a crafted URL when the verifyurl option is disabled. This happens due to mishandling of the ImageMagick convert utility. NOTE: This vulnerability has also been identified as: CVE-2021-33564 Remediation Upgra...