CVE-2025-59350: 
vulnerability analysis and mitigation

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to version 2.1.0, a timing attack vulnerability (CVE-2025-59350) was identified in the access control mechanism of the Proxy feature. The vulnerability was discovered and disclosed on September 17, 2025, affecting all versions before 2.1.0 (NVD, GitHub Advisory).

The vulnerability stems from the use of simple string comparisons in the Proxy feature's access control mechanism. The code uses short-circuiting equality operations for comparing both username and password: 'if user != proxy.basicAuth.Username || pass != proxy.basicAuth.Password'. This implementation makes it susceptible to timing attacks. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, and a CVSS v4.0 score of 2.7 (LOW) (NVD).

An attacker could potentially exploit this vulnerability by measuring the execution times of comparison instructions, allowing them to guess the password one character at a time. The full extent of what an attacker might be able to do with access to the proxy password remains undetermined (GitHub Advisory).

The vulnerability has been fixed in Dragonfly version 2.1.0. There are no effective workarounds available besides upgrading to the patched version. Users are strongly advised to upgrade to version 2.1.0 or later (GitHub Advisory).