Dragonfly did not enable authentication for some Manager’s endpoints
Description
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The /api/v1/jobs and /preheats endpoints in Manager web UI are accessible without authentication. Any user with network access to the Manager can create, delete, and modify jobs, and create preheat jobs. An unauthenticated adversary with network access to a Manager web UI uses /api/v1/jobs endpoint to create hundreds of useless jobs. The Manager is in a denial-of-service state, and stops accepting requests from valid administrators. This vulnerability is fixed in 2.1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dragonfly Manager's /api/v1/jobs and /preheats endpoints lack authentication bypass allows unauthenticated denial-of-service via job creation.
Vulnerability
Overview
CVE-2025-59345 is an authentication bypass vulnerability in the Dragonfly Manager component, affecting versions prior to 2.1.0. The /api/v1/jobs and /preheats endpoints are accessible without any authentication, allowing any user with network access to the Manager web UI to interact with job management functions [1][4].
Exploitation
An unauthenticated attacker with network access to the Manager web UI can exploit this by sending requests to the /api/v1/jobs endpoint to create a large number of useless jobs. No authentication or prior access is required, making the attack surface broad for any exposed Manager instance [1].
Impact
By creating hundreds of jobs, the attacker can overwhelm the Manager, causing it to enter a denial-of-service (DoS) state. In this state, the Manager stops accepting legitimate requests from valid administrators, effectively disrupting normal operations and preventing administrative management of the Dragonfly system [1].
Mitigation
The vulnerability is fixed in Dragonfly version 2.1.0. Users should upgrade to this version or later to remediate the issue. No workarounds are mentioned in the available references [1][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/dragonflyoss/dragonflyGo | < 2.1.0 | 2.1.0 |
d7y.io/dragonfly/v2Go | < 2.1.0 | 2.1.0 |
Affected products
2- Range: <2.1.0
- dragonflyoss/dragonflyv5Range: < 2.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-89vc-vf32-ch59ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59345ghsaADVISORY
- github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdfghsax_refsource_MISCWEB
- github.com/dragonflyoss/dragonfly/security/advisories/GHSA-89vc-vf32-ch59ghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2025-3965ghsaWEB
News mentions
0No linked articles in our index yet.