CVE-2025-59345

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Dragonfly versions prior to 2.1.0

Description The /api/v1/jobs and /preheats endpoints in the Manager web UI are accessible without authentication. An unauthenticated adversary with network access to a Manager web UI can create, delete, and modify jobs, and create preheat jobs. An attacker can exploit this to create a large number of useless jobs, leading to a denial-of-service state where the Manager stops accepting requests from valid administrators.

Recommendations Upgrade to version 2.1.0 or later.

Exploit

Fix

DoS

Missing Authentication

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306CWE-287

Related Identifiers

CVE-2025-59345

GHSA-89VC-VF32-CH59

GO-2025-3965

OPENSUSE-SU-2025:15576-1

SUSE-SU-2025:3799-1

Affected Products

Dragonfly

CVE-2025-59345

Weakness Enumeration

Related Identifiers

Affected Products

References · 48