GHSA-c2fc-9q9c-5486
Suggest an improvement- Source
- https://github.com/advisories/GHSA-c2fc-9q9c-5486
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-c2fc-9q9c-5486/GHSA-c2fc-9q9c-5486.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-c2fc-9q9c-5486
- Aliases
- Published
- 2025-09-17T20:02:30Z
- Modified
- 2025-09-26T16:17:59Z
- Severity
-
- 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- Dragonfly vulnerable to timing attacks against Proxy’s basic authentication
- Details
-
Impact
The access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one character at a time by sending all possible characters to a vulnerable mechanism and measuring the comparison instruction’s execution times. The vulnerability is shown in figure 8.1, where both the username and password are compared with a short-circuiting equality operation.
if user != proxy.basicAuth.Username || pass != proxy.basicAuth.Password {It is currently undetermined what an attacker may be able to do with access to the proxy password.
Patches
- Dragonfy v2.1.0 and above.
Workarounds
There are no effective workarounds, beyond upgrading.
References
A third party security audit was performed by Trail of Bits, you can see the full report.
If you have any questions or comments about this advisory, please email us at dragonfly-maintainers@googlegroups.com.
- Database specific
{ "cwe_ids": [ "CWE-208", "CWE-697" ], "github_reviewed": true, "nvd_published_at": "2025-09-17T20:15:37Z", "github_reviewed_at": "2025-09-17T20:02:30Z", "severity": "MODERATE" }- References
-
- https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-c2fc-9q9c-5486
- https://nvd.nist.gov/vuln/detail/CVE-2025-59350
- https://github.com/dragonflyoss/dragonfly
- https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
- https://pkg.go.dev/vuln/GO-2025-3972
Affected packages
Go / github.com/dragonflyoss/dragonfly
Package
- Name
- github.com/dragonflyoss/dragonfly
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/dragonflyoss/dragonfly
Go / d7y.io/dragonfly/v2
Package
- Name
- d7y.io/dragonfly/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/d7y.io/dragonfly/v2