HIGHCVE-2025-59346CVSS 7.5

CVE-2025-59346: SSRF in Dragonfly v2

Q: What is CVE-2025-59346 — SSRF in Dragonfly v2?

CVE-2025-59346 is a server-side request forgery vulnerability in Dragonfly v2, allowing attackers to make requests to unintended resources. It has a CVSS score of 7.5 (HIGH).

Q: Am I affected by CVE-2025-59346 in Dragonfly v2?

You are affected if you are using Dragonfly v2 prior to version 2.1.0. Upgrade immediately to mitigate the risk.

Q: How do I fix CVE-2025-59346 in Dragonfly v2?

Upgrade to Dragonfly v2.1.0 or later. As a temporary workaround, implement strict network policies and input validation.

Q: Is CVE-2025-59346 being actively exploited?

There is currently no indication of active exploitation, but the SSRF nature of the vulnerability suggests potential for future exploitation.

Q: Where can I find the official Dragonfly advisory for CVE-2025-59346?

Refer to the official d7y.io/dragonfly project repository and associated security advisories for updates and detailed information.

Platform

Component

d7y.io/dragonfly/v2

Fixed in

2.1.1

2.1.0

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2025-59346 describes a server-side request forgery (SSRF) vulnerability discovered in Dragonfly v2. This flaw allows an attacker to manipulate the application into making requests to unintended internal or external resources, potentially leading to unauthorized access and data exposure. The vulnerability impacts versions of Dragonfly prior to 2.1.0, and a patch has been released to address the issue.

Impact and Attack Scenarios

An attacker exploiting this SSRF vulnerability could potentially bypass security controls and access sensitive internal resources that are not directly exposed to the internet. This could include accessing internal APIs, databases, or configuration files. Depending on the internal services accessible, an attacker could potentially achieve data exfiltration, privilege escalation, or even gain control of other systems within the network. The blast radius extends to any internal resources accessible via HTTP/HTTPS requests initiated by the Dragonfly application.

Exploitation Context

CVE-2025-59346 was publicly disclosed on 2025-09-24. There is no indication of active exploitation at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet available, but the SSRF nature of the vulnerability suggests that they are likely to emerge.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

EPSS

0.06% (19% percentile)

CISA SSVC

Exploitationpoc

Automatableyes

Technical Impactpartial

Affected Software

Componentd7y.io/dragonfly/v2

Vendorosv

Affected rangeFixed in

< 2.1.0 – < 2.1.02.1.1

—2.1.0

Weakness Classification (CWE)

CWE-918

Timeline

Reserved2025-09-12
Published2025-09-24
Modified2026-03-03
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2025-59346 is to upgrade to Dragonfly version 2.1.0 or later, which includes the necessary fix. If upgrading immediately is not feasible, implement strict network policies to restrict outbound connections from the Dragonfly application. This can be achieved through firewalls or proxy servers. Additionally, implement robust input validation to sanitize any user-supplied data that is used to construct URLs. Consider using a Web Application Firewall (WAF) with SSRF protection rules to further mitigate the risk.

How to fix

Update Dragonfly to version 2.1.0 or later. This version contains the fix for the SSRF (Server-Side Request Forgery) vulnerability. Ensure you follow the upgrade instructions provided by the vendor.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-59346 — SSRF in Dragonfly v2?