Plataforma
go
Componente
d7y.io/dragonfly/v2
Corregido en
2.1.1
2.1.0
CVE-2025-59346 describes a server-side request forgery (SSRF) vulnerability discovered in Dragonfly v2. This flaw allows an attacker to manipulate the application into making requests to unintended internal or external resources, potentially leading to unauthorized access and data exposure. The vulnerability impacts versions of Dragonfly prior to 2.1.0, and a patch has been released to address the issue.
An attacker exploiting this SSRF vulnerability could potentially bypass security controls and access sensitive internal resources that are not directly exposed to the internet. This could include accessing internal APIs, databases, or configuration files. Depending on the internal services accessible, an attacker could potentially achieve data exfiltration, privilege escalation, or even gain control of other systems within the network. The blast radius extends to any internal resources accessible via HTTP/HTTPS requests initiated by the Dragonfly application.
CVE-2025-59346 was publicly disclosed on 2025-09-24. There is no indication of active exploitation at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet available, but the SSRF nature of the vulnerability suggests that they are likely to emerge.
Organizations deploying Dragonfly v2 in environments with internal APIs or sensitive resources accessible via HTTP/HTTPS are at risk. This includes deployments where Dragonfly is used as a proxy or gateway, as the vulnerability could be leveraged to access backend systems.
• go / server: Inspect Dragonfly application logs for unusual outbound HTTP requests to internal or unexpected external URLs. Use netstat or ss to monitor network connections originating from the Dragonfly process.
ss -t http -p src dst• generic web: Monitor access logs for requests containing suspicious URL parameters or internal IP addresses. Examine response headers for signs of internal resource access. • generic web: Use curl to probe for potential SSRF endpoints.
curl -v --connect-timeout 1 http://<dragonfly_host>/internal_resourcedisclosure
Estado del Exploit
EPSS
0.06% (19% percentil)
CISA SSVC
The primary mitigation for CVE-2025-59346 is to upgrade to Dragonfly version 2.1.0 or later, which includes the necessary fix. If upgrading immediately is not feasible, implement strict network policies to restrict outbound connections from the Dragonfly application. This can be achieved through firewalls or proxy servers. Additionally, implement robust input validation to sanitize any user-supplied data that is used to construct URLs. Consider using a Web Application Firewall (WAF) with SSRF protection rules to further mitigate the risk.
Actualice Dragonfly a la versión 2.1.0 o posterior. Esta versión contiene la corrección para la vulnerabilidad SSRF (SSRF). Asegúrese de seguir las instrucciones de actualización proporcionadas por el proveedor.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-59346 is a server-side request forgery vulnerability in Dragonfly v2, allowing attackers to make requests to unintended resources. It has a CVSS score of 7.5 (HIGH).
You are affected if you are using Dragonfly v2 prior to version 2.1.0. Upgrade immediately to mitigate the risk.
Upgrade to Dragonfly v2.1.0 or later. As a temporary workaround, implement strict network policies and input validation.
There is currently no indication of active exploitation, but the SSRF nature of the vulnerability suggests potential for future exploitation.
Refer to the official d7y.io/dragonfly project repository and associated security advisories for updates and detailed information.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo go.mod y te decimos al instante si estás afectado.