CVE-2025-59350
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-17

Last updated on: 2025-09-18

Assigner: GitHub, Inc.

Description
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one character at a time by sending all possible characters to a vulnerable mechanism and measuring the comparison instruction’s execution times. This vulnerability is fixed in 2.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-17
Last Modified
2025-09-18
Generated
2026-06-16
AI Q&A
2025-09-17
EPSS Evaluated
2026-06-14
NVD
CVE-2025-59350
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxfoundation dragonfly to 2.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Dragonfly's Proxy feature prior to version 2.1.0, where the access control mechanism uses simple string comparisons that are vulnerable to timing attacks. An attacker can exploit this by guessing the password one character at a time, sending all possible characters and measuring the time it takes for the system to compare them, thereby potentially revealing the correct password.

Impact Analysis

The vulnerability can allow an attacker to gain unauthorized access by guessing passwords through timing attacks, potentially compromising the security of the system using Dragonfly's Proxy feature. This could lead to unauthorized access to files or images distributed via the system.

Mitigation Strategies

Upgrade Dragonfly to version 2.1.0 or later, as this version fixes the timing attack vulnerability in the Proxy feature's access control mechanism.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59350. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart