Plattform
go
Komponente
d7y.io/dragonfly/v2
Behoben in
2.1.1
2.1.0
CVE-2025-59346 describes a server-side request forgery (SSRF) vulnerability discovered in Dragonfly v2. This flaw allows an attacker to manipulate the application into making requests to unintended internal or external resources, potentially leading to unauthorized access and data exposure. The vulnerability impacts versions of Dragonfly prior to 2.1.0, and a patch has been released to address the issue.
An attacker exploiting this SSRF vulnerability could potentially bypass security controls and access sensitive internal resources that are not directly exposed to the internet. This could include accessing internal APIs, databases, or configuration files. Depending on the internal services accessible, an attacker could potentially achieve data exfiltration, privilege escalation, or even gain control of other systems within the network. The blast radius extends to any internal resources accessible via HTTP/HTTPS requests initiated by the Dragonfly application.
CVE-2025-59346 was publicly disclosed on 2025-09-24. There is no indication of active exploitation at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet available, but the SSRF nature of the vulnerability suggests that they are likely to emerge.
Organizations deploying Dragonfly v2 in environments with internal APIs or sensitive resources accessible via HTTP/HTTPS are at risk. This includes deployments where Dragonfly is used as a proxy or gateway, as the vulnerability could be leveraged to access backend systems.
• go / server: Inspect Dragonfly application logs for unusual outbound HTTP requests to internal or unexpected external URLs. Use netstat or ss to monitor network connections originating from the Dragonfly process.
ss -t http -p src dst• generic web: Monitor access logs for requests containing suspicious URL parameters or internal IP addresses. Examine response headers for signs of internal resource access. • generic web: Use curl to probe for potential SSRF endpoints.
curl -v --connect-timeout 1 http://<dragonfly_host>/internal_resourcedisclosure
Exploit-Status
EPSS
0.06% (19% Perzentil)
CISA SSVC
The primary mitigation for CVE-2025-59346 is to upgrade to Dragonfly version 2.1.0 or later, which includes the necessary fix. If upgrading immediately is not feasible, implement strict network policies to restrict outbound connections from the Dragonfly application. This can be achieved through firewalls or proxy servers. Additionally, implement robust input validation to sanitize any user-supplied data that is used to construct URLs. Consider using a Web Application Firewall (WAF) with SSRF protection rules to further mitigate the risk.
Aktualisieren Sie Dragonfly auf Version 2.1.0 oder höher. Diese Version enthält die Korrektur für die SSRF (Server-Side Request Forgery) Vulnerabilität. Stellen Sie sicher, dass Sie die Update-Anweisungen des Anbieters befolgen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-59346 is a server-side request forgery vulnerability in Dragonfly v2, allowing attackers to make requests to unintended resources. It has a CVSS score of 7.5 (HIGH).
You are affected if you are using Dragonfly v2 prior to version 2.1.0. Upgrade immediately to mitigate the risk.
Upgrade to Dragonfly v2.1.0 or later. As a temporary workaround, implement strict network policies and input validation.
There is currently no indication of active exploitation, but the SSRF nature of the vulnerability suggests potential for future exploitation.
Refer to the official d7y.io/dragonfly project repository and associated security advisories for updates and detailed information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.