x/vulndb: potential Go vuln in github.com/dragonflyoss/dragonfly: GHSA-g2rq-jv54-wcpr #3968
Description
Advisory GHSA-g2rq-jv54-wcpr references a vulnerability in the following Go modules:
| Module |
|---|
| d7y.io/dragonfly/v2 |
| github.com/dragonflyoss/dragonfly |
Description:
Impact
There are multiple server-side request forgery (SSRF) vulnerabilities in the DragonFly2 system. The vulnerabilities enable users to force DragonFly2’s components to make requests to internal services, which otherwise are not accessible to the users.
One SSRF attack vector is exposed by the Manager’s API. The API allows users to create jobs. When creating a Preheat type of a job, users provide a URL that the Manager connects to (see figures 2.1–2.3). The URL is weakly validated, and so users can trick the Manager into sending HTTP requests to services that are in the Manager’...
References:
- ADVISORY: GHSA-g2rq-jv54-wcpr
- ADVISORY: GHSA-g2rq-jv54-wcpr
- WEB: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
Cross references:
- d7y.io/dragonfly/v2 appears in 1 other report(s):
- data/reports/GO-2024-3136.yaml (x/vulndb: potential Go vuln in d7y.io/dragonfly/v2: GHSA-hpc8-7wpm-889w #3136)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: d7y.io/dragonfly/v2
versions:
- fixed: 2.1.0
vulnerable_at: 2.1.0-rc.0
- module: github.com/dragonflyoss/dragonfly
vulnerable_at: 1.0.6
summary: Dragonfly vulnerable to server-side request forgery in d7y.io/dragonfly
cves:
- CVE-2025-59346
ghsas:
- GHSA-g2rq-jv54-wcpr
references:
- advisory: https://github.com/advisories/GHSA-g2rq-jv54-wcpr
- advisory: https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-g2rq-jv54-wcpr
- web: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
source:
id: GHSA-g2rq-jv54-wcpr
created: 2025-09-17T20:01:21.9086808Z
review_status: UNREVIEWED