CVE-2025-59350: Dragonfly vulnerable to timing attacks against Proxy’s basic authentication
(updated )
The access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one character at a time by sending all possible characters to a vulnerable mechanism and measuring the comparison instruction’s execution times. The vulnerability is shown in figure 8.1, where both the username and password are compared with a short-circuiting equality operation.
if user != proxy.basicAuth.Username || pass != proxy.basicAuth.Password {
It is currently undetermined what an attacker may be able to do with access to the proxy password.
References
- github.com/advisories/GHSA-c2fc-9q9c-5486
- github.com/dragonflyoss/dragonfly
- github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
- github.com/dragonflyoss/dragonfly/security/advisories/GHSA-c2fc-9q9c-5486
- nvd.nist.gov/vuln/detail/CVE-2025-59350
- pkg.go.dev/vuln/GO-2025-3972
Code Behaviors & Features
Detect and mitigate CVE-2025-59350 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →