CVE-2025-59350
BaseFortify
Publication date: 2025-09-17
Last updated on: 2025-09-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | dragonfly | to 2.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-208 | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Dragonfly's Proxy feature prior to version 2.1.0, where the access control mechanism uses simple string comparisons that are vulnerable to timing attacks. An attacker can exploit this by guessing the password one character at a time, sending all possible characters and measuring the time it takes for the system to compare them, thereby potentially revealing the correct password.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to gain unauthorized access by guessing passwords through timing attacks, potentially compromising the security of the system using Dragonfly's Proxy feature. This could lead to unauthorized access to files or images distributed via the system.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Dragonfly to version 2.1.0 or later, as this version fixes the timing attack vulnerability in the Proxy feature's access control mechanism.