CVE-2025-59345
📋 TL;DR
Dragonfly Manager web UI endpoints /api/v1/jobs and /preheats lack authentication in versions before 2.1.0, allowing unauthenticated attackers to create, delete, and modify jobs. This enables denial-of-service attacks by flooding the system with fake jobs, preventing legitimate administrators from accessing the Manager. Organizations running Dragonfly Manager web UI without proper network segmentation are affected.
💻 Affected Systems
- Dragonfly
📦 What is this software?
Dragonfly by Linuxfoundation
⚠️ Risk & Real-World Impact
Worst Case
Complete denial-of-service of Dragonfly Manager, disrupting all file distribution and image acceleration services, potentially affecting dependent applications and services.
Likely Case
Temporary service disruption of Dragonfly Manager, requiring manual intervention to clear malicious jobs and restore functionality.
If Mitigated
Minimal impact if proper network controls restrict access to Manager endpoints or if authentication is enforced via other means.
🎯 Exploit Status
Exploitation requires only HTTP requests to vulnerable endpoints, making it trivial for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.0
Vendor Advisory: https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-89vc-vf32-ch59
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Upgrade Dragonfly to version 2.1.0 or later. 3. Restart Dragonfly services. 4. Verify authentication is now required for /api/v1/jobs and /preheats endpoints.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict network access to Dragonfly Manager web UI endpoints using firewall rules or network segmentation.
iptables -A INPUT -p tcp --dport [MANAGER_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [MANAGER_PORT] -j DROP
Reverse Proxy Authentication
allPlace Dragonfly Manager behind a reverse proxy that enforces authentication before forwarding requests.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Dragonfly Manager from untrusted networks.
- Deploy a web application firewall (WAF) in front of Dragonfly Manager to block unauthorized access to vulnerable endpoints.
🔍 How to Verify
Check if Vulnerable:
Attempt to access /api/v1/jobs or /preheats endpoints without authentication. If accessible, system is vulnerable.Check Version:
dragonfly version | grep -i versionVerify Fix Applied:
After patching, verify that unauthenticated requests to /api/v1/jobs and /preheats return authentication errors (e.g., 401 Unauthorized).📡 Detection & Monitoring
Log Indicators:
- Unusual volume of job creation requests from single IPs
- Failed authentication attempts followed by successful job operations
- High frequency of requests to /api/v1/jobs or /preheats
Network Indicators:
- HTTP POST requests to /api/v1/jobs or /preheats without authentication headers
- Unusual traffic patterns to Manager web UI port
SIEM Query:
source="dragonfly.log" AND (uri="/api/v1/jobs" OR uri="/preheats") AND NOT auth_success="true" | stats count by src_ip