Headline
GHSA-c2fc-9q9c-5486: Dragonfly vulnerable to timing attacks against Proxy’s basic authentication
Impact
The access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one character at a time by sending all possible characters to a vulnerable mechanism and measuring the comparison instruction’s execution times. The vulnerability is shown in figure 8.1, where both the username and password are compared with a short-circuiting equality operation.
if user != proxy.basicAuth.Username || pass != proxy.basicAuth.Password {
It is currently undetermined what an attacker may be able to do with access to the proxy password.
Patches
- Dragonfy v2.1.0 and above.
Workarounds
There are no effective workarounds, beyond upgrading.
References
A third party security audit was performed by Trail of Bits, you can see the full report.
If you have any questions or comments about this advisory, please email us at dragonfly-maintainers@googlegroups.com.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-59350
Dragonfly vulnerable to timing attacks against Proxy’s basic authentication
Moderate severity GitHub Reviewed Published Sep 17, 2025 in dragonflyoss/dragonfly • Updated Sep 17, 2025
Package
gomod github.com/dragonflyoss/dragonfly (Go)
Affected versions
< 2.1.0
Impact
The access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one character at a time by sending all possible characters to a vulnerable mechanism and measuring the comparison instruction’s execution times.
The vulnerability is shown in figure 8.1, where both the username and password are compared with a short-circuiting equality operation.
if user != proxy.basicAuth.Username || pass != proxy.basicAuth.Password {
It is currently undetermined what an attacker may be able to do with access to the proxy password.
Patches
- Dragonfy v2.1.0 and above.
Workarounds
There are no effective workarounds, beyond upgrading.
References
A third party security audit was performed by Trail of Bits, you can see the full report.
If you have any questions or comments about this advisory, please email us at dragonfly-maintainers@googlegroups.com.
References
- GHSA-c2fc-9q9c-5486
- https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
Published to the GitHub Advisory Database
Sep 17, 2025
Last updated
Sep 17, 2025