Dragonfly
Monthly
Remote denial of service in DragonflyDB before 1.39.0 lets an unauthenticated attacker crash the entire server with a single ~24-byte RESTORE command carrying a malformed listpack payload, triggering an out-of-bounds read (SIGSEGV). Because Dragonfly ships with no authentication enabled by default and RESTORE is an ordinary keyspace command, any client that can reach the port can repeatedly kill the process. No CISA KEV listing exists, but the fixing pull request publishes the exact crash payloads as regression tests, so working trigger data is effectively public.
RESP protocol injection in Dragonfly's EvalSerializer allows an authenticated low-privilege user to embed raw CRLF sequences inside Lua redis.error_reply() and redis.status_reply() return values, causing response stream desynchronization for connection-pool clients. All Dragonfly releases prior to 1.39.9 are affected; the vulnerability is confirmed fixed in 1.39.9 per GitHub security advisory GHSA-h77h-c6hc-qc9h. No public exploit has been identified at time of analysis, and exploitation requires authenticated access plus a connection-pooling client architecture, substantially limiting real-world risk.
Dragonfly P2P file distribution system versions 2.4.1-rc.0 and below have a missing authentication vulnerability allowing unauthenticated access to the management API.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated low severity (CVSS 2.0), this vulnerability is no authentication required, low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
DragonflyDB Dragonfly through 1.28.2 (fixed in 1.29.0) allows authenticated users to cause a denial of service (daemon crash) via a Lua library command that references a large negative integer. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. Public exploit code available.
DragonflyDB Dragonfly before 1.27.0 allows authenticated users to cause a denial of service (daemon crash) via a crafted Redis command. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. Public exploit code available.
Dragonfly is a Java runtime dependency management library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.
An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Remote denial of service in DragonflyDB before 1.39.0 lets an unauthenticated attacker crash the entire server with a single ~24-byte RESTORE command carrying a malformed listpack payload, triggering an out-of-bounds read (SIGSEGV). Because Dragonfly ships with no authentication enabled by default and RESTORE is an ordinary keyspace command, any client that can reach the port can repeatedly kill the process. No CISA KEV listing exists, but the fixing pull request publishes the exact crash payloads as regression tests, so working trigger data is effectively public.
RESP protocol injection in Dragonfly's EvalSerializer allows an authenticated low-privilege user to embed raw CRLF sequences inside Lua redis.error_reply() and redis.status_reply() return values, causing response stream desynchronization for connection-pool clients. All Dragonfly releases prior to 1.39.9 are affected; the vulnerability is confirmed fixed in 1.39.9 per GitHub security advisory GHSA-h77h-c6hc-qc9h. No public exploit has been identified at time of analysis, and exploitation requires authenticated access plus a connection-pooling client architecture, substantially limiting real-world risk.
Dragonfly P2P file distribution system versions 2.4.1-rc.0 and below have a missing authentication vulnerability allowing unauthenticated access to the management API.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated low severity (CVSS 2.0), this vulnerability is no authentication required, low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.
Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
DragonflyDB Dragonfly through 1.28.2 (fixed in 1.29.0) allows authenticated users to cause a denial of service (daemon crash) via a Lua library command that references a large negative integer. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. Public exploit code available.
DragonflyDB Dragonfly before 1.27.0 allows authenticated users to cause a denial of service (daemon crash) via a crafted Redis command. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. Public exploit code available.
Dragonfly is a Java runtime dependency management library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.
An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.