CVE-2025-59350: Dragonfly vulnerable to timing attacks against Proxy’s basic authentication

September 17, 2025 (updated September 18, 2025)

The access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one character at a time by sending all possible characters to a vulnerable mechanism and measuring the comparison instruction’s execution times. The vulnerability is shown in figure 8.1, where both the username and password are compared with a short-circuiting equality operation.

if user != proxy.basicAuth.Username || pass != proxy.basicAuth.Password {

It is currently undetermined what an attacker may be able to do with access to the proxy password.

References

Code Behaviors & Features

Detect and mitigate CVE-2025-59350 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →