13 matches found
CVE-2023-27584
CVE-2023-27584 affects Dragonfly2, an open-source P2P file distribution system. The vulnerability is caused by a hard-coded JWT secret key, "Secret Key", which enables authentication bypass. An attacker can perform actions with admin privileges by crafting a valid JWT token, potentially accessing...
CVE-2025-59349
Dragonfly (DragonflyOS) prior to version 2.1.0 is affected: the code path that creates directory structures using os.MkdirAll does not enforce permission checks when the target directory already exists. A local attacker could pre-create a directory with broad permissions and have Dragonfly2 subse...
CVE-2025-59353
Technical details beyond the initial description are not provided in the connected sources. Monitor for updates from vendor/security advisories for CVE-2025-59353.
CVE-2025-59348
CVE-2025-59348 affects Dragonfly, an open-source P2P file distribution and image acceleration system. The vulnerability lies in the processPieceFromSource method, where an uninitialized variable n is used as a guard for the AddTraffic call instead of the actual result.Size, causing the structure’...
CVE-2025-59347
CVE-2025-59347 affects Dragonfly before version 2.1.0, where the Manager disables TLS certificate verification in HTTP clients and cannot re-enable it; an attacker performing a network-level MITM can supply invalid data to the Manager, causing the preheater to operate on wrong data, leading to de...
CVE-2025-59354
Summary: CVE-2025-59354 affects Dragonfly before version 2.1.0, where downloaded files may be replaced due to use of MD5 for hashing, enabling attackers to supply malicious files with colliding hashes. The vulnerability is fixed in 2.1.0. The initial description provides the root cause and remedi...
CVE-2025-59350
CVE-2025-59350 - Dragonfly : A timing-attack vulnerability in the Proxy feature’s access control (string comparison) prior to 2.1.0 enables an attacker to guess passwords by measuring response times. The issue is fixed in 2.1.0. Affected: Dragonfly, proxy access control mechanism. Mitigation: upg...
CVE-2025-59352
Dragonfly CVE-2025-59352 affects the Dragonfly open source P2P file distribution and image acceleration system. Prior to version 2.1.0, the gRPC API and HTTP APIs allow peers to request actions that force the recipient to create files in arbitrary filesystem locations and to read arbitrary files,...
CVE-2025-59346
Technical details for CVE-2025-59346 are not provided in the connected documents. Public details require checking the primary sources and monitoring for updates.
CVE-2025-59351
Technical details for CVE-2025-59351 are not provided in the connected documents. Public information in the initial description notes a fix in Dragonfly 2.1.0, but no further specifics are available here. Monitor for updates.
CVE-2025-59410
Dragonfly CVE-2025-59410 affects the scheduler used for downloading tiny files prior to version 2.1.0, where the code path defaults to HTTP instead of HTTPS. This enables a potential Man-in-the-Middle attack to alter the data piece downloaded during the process. The issue is fixed in 2.1.0. The a...
CVE-2025-59345
CVE-2025-59345 affects Dragonfly (open source P2P file distribution/image acceleration). Before version 2.1.0, the Manager web UI endpoints /api/v1/jobs and /preheats were accessible without authentication, allowing any user with network access to create, delete, and modify jobs and to create pre...
CVE-2026-24124
Dragonfly CVE-2026-24124 describes an unauthenticated access flaw in the Manager Job API. In versions 2.4.1-rc.0 and earlier, the Job API endpoints under /api/v1/jobs lack JWT authentication middleware and RBAC checks, allowing unauthenticated users with Manager API access to view, create, modify...