CVE-2025-59346: 
vulnerability analysis and mitigation

Dragonfly, an open source P2P-based file distribution and image acceleration system, disclosed a server-side request forgery (SSRF) vulnerability (CVE-2025-59346) affecting versions prior to 2.1.0. The vulnerability was discovered and reported on September 17, 2025, enabling attackers to force DragonFly2's components to make requests to internal services that should not be accessible to them (GitHub Advisory).

The vulnerability stems from multiple attack vectors in the DragonFly2 system. The Manager API accepts user-supplied URLs for Preheat job creation with insufficient validation. Additionally, peers can trigger other peers to fetch arbitrary URLs through pieceManager.DownloadSource method, and internal HTTP clients follow redirects, allowing request redirection to internal services. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability allows attackers to probe or access internal HTTP endpoints that should otherwise be inaccessible. This can potentially lead to unauthorized access to internal services and exposure of sensitive information within the organization's network (GitHub Advisory).

The vulnerability has been fixed in Dragonfly version 2.1.0. There are no effective workarounds available besides upgrading to the patched version (GitHub Advisory).