Dragonfly server-side request forgery vulnerability
Description
Dragonfly is an open source P2P-based file distribution and image acceleration system. Versions prior to 2.1.0 contain a server-side request forgery (SSRF) vulnerability that enables users to force DragonFly2’s components to make requests to internal services that are otherwise not accessible to them. The issue arises because the Manager API accepts a user-supplied URL when creating a Preheat job with weak validation, peers can trigger other peers to fetch an arbitrary URL through pieceManager.DownloadSource, and internal HTTP clients follow redirects, allowing a request to a malicious server to be redirected to internal services. This can be used to probe or access internal HTTP endpoints. The vulnerability is fixed in version 2.1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dragonfly versions prior to 2.1.0 contain multiple SSRF vulnerabilities allowing users to force internal components to make requests to internal services.
Vulnerability
Overview
Dragonfly, an open-source P2P-based file distribution and image acceleration system, contains multiple server-side request forgery vulnerabilities in versions prior to 2.1.0 [1][3]. The core issue is that the Manager API accepts a user-supplied URL when creating a Preheat job with weak validation, allowing an attacker to force the Manager to send HTTP requests to internal services that are otherwise not accessible [3]. Additionally, peers can trigger other peers to fetch an arbitrary URL through the pieceManager.DownloadSource method, and internal HTTP clients follow redirects, enabling a request to a malicious server to be redirected to internal services [1][3].
Exploitation
An attacker can exploit this vulnerability by providing a malicious URL when creating a Preheat job via the Manager API [3]. The URL is weakly validated, so the attacker can specify an internal IP address or hostname to probe or access internal HTTP endpoints [1]. Furthermore, a peer can ask another peer to make a request to an arbitrary URL by triggering the pieceManager.DownloadSource method, which calls httpSourceClient.GetMetadata and performs the request [3]. Because HTTP clients do not disable support for redirects, a request to a malicious server can be redirected to an internal service, expanding the attack surface [3].
Impact
Successful exploitation allows an attacker to probe or access internal HTTP endpoints that are not normally accessible from outside the network [1]. This can lead to information disclosure, further lateral movement, or compromise of internal service compromise depending on the internal services exposed [3].
Mitigation
The vulnerability is fixed in Dragonfly version 2.1.0 [1][3]. There are no effective workarounds beyond upgrading to the patched version [3]. Users should upgrade as soon as possible to mitigate the risk.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/dragonflyoss/dragonflyGo | < 2.1.0 | 2.1.0 |
d7y.io/dragonfly/v2Go | < 2.1.0 | 2.1.0 |
Affected products
2- Range: <=2.0.9
- dragonflyoss/dragonflyv5Range: < 2.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-g2rq-jv54-wcprghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59346ghsaADVISORY
- github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdfghsax_refsource_MISCWEB
- github.com/dragonflyoss/dragonfly/security/advisories/GHSA-g2rq-jv54-wcprghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2025-3968ghsaWEB
News mentions
0No linked articles in our index yet.