CVE-2025-59345: Dragonfly doesn't have authentication enabled for some Manager’s endpoints

September 17, 2025 (updated September 18, 2025)

The /api/v1/jobs and /preheats endpoints in Manager web UI are accessible without authentication. Any user with network access to the Manager can create, delete, and modify jobs, and create preheat jobs.

An unauthenticated adversary with network access to a Manager web UI uses /api/v1/jobs endpoint to create hundreds of useless jobs. The Manager is in a denial-of-service state, and stops accepting requests from valid administrators.

References

github.com/advisories/GHSA-89vc-vf32-ch59
github.com/dragonflyoss/dragonfly
github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
github.com/dragonflyoss/dragonfly/security/advisories/GHSA-89vc-vf32-ch59
nvd.nist.gov/vuln/detail/CVE-2025-59345

Code Behaviors & Features

Detect and mitigate CVE-2025-59345 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →