Dragonfly incorrectly handles a task structure’s usedTraffic field
Description
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the processPieceFromSource method does not update the structure’s usedTraffic field, because an uninitialized variable n is used as a guard to the AddTraffic method call, instead of the result.Size variable. A task is processed by a peer. The usedTraffic metadata is not updated during the processing. Rate limiting is incorrectly applied, leading to a denial-of-service condition for the peer. This vulnerability is fixed in 2.1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dragonfly before 2.1.0 fails to update usedTraffic during task processing due to an uninitialized variable, causing incorrect rate limiting and a denial-of-service condition.
Root
Cause
The vulnerability lies in the processPieceFromSource method in Dragonfly's P2P file distribution system. The method writes pieces of data to storage and updates a Task structure. However, an uninitialized variable n is used as a guard for the AddTraffic method call instead of result.Size. This means the usedTraffic field is never updated during task processing [1][4].
Exploitation
No authentication is required for exploitation; any task processed by a peer triggers the bug. The attack surface is the peer-to-peer network itself—any peer that receives a task in a distributed environment will experience the flaw. The uninitialized variable leads to AddTraffic being called with n (which may be zero or undefined), so traffic is not properly accounted [4].
Impact
Because usedTraffic metadata is not updated, the rate-limiting mechanism that relies on it becomes ineffective. An attacker can cause a peer's traffic to be unrestricted, leading to resource exhaustion and a denial-of-service condition for that peer [1].
Mitigation
The issue is fixed in Dragonfly version 2.1.0. There are no workarounds; upgrading is the only solution [4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/dragonflyoss/dragonflyGo | < 2.1.0 | 2.1.0 |
d7y.io/dragonfly/v2Go | < 2.1.0 | 2.1.0 |
Affected products
2- Range: <2.1.0
- dragonflyoss/dragonflyv5Range: < 2.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-2qgr-gfvj-qpcrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59348ghsaADVISORY
- github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdfghsax_refsource_MISCWEB
- github.com/dragonflyoss/dragonfly/security/advisories/GHSA-2qgr-gfvj-qpcrghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2025-3963ghsaWEB
News mentions
0No linked articles in our index yet.