Skip to main content

Dragonfly

18 CVEs product

Monthly

CVE-2026-54341 HIGH PATCH This Week

Remote denial of service in DragonflyDB before 1.39.0 lets an unauthenticated attacker crash the entire server with a single ~24-byte RESTORE command carrying a malformed listpack payload, triggering an out-of-bounds read (SIGSEGV). Because Dragonfly ships with no authentication enabled by default and RESTORE is an ordinary keyspace command, any client that can reach the port can repeatedly kill the process. No CISA KEV listing exists, but the fixing pull request publishes the exact crash payloads as regression tests, so working trigger data is effectively public.

Denial Of Service Buffer Overflow Information Disclosure Dragonfly
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-47206 LOW PATCH Monitor

RESP protocol injection in Dragonfly's EvalSerializer allows an authenticated low-privilege user to embed raw CRLF sequences inside Lua redis.error_reply() and redis.status_reply() return values, causing response stream desynchronization for connection-pool clients. All Dragonfly releases prior to 1.39.9 are affected; the vulnerability is confirmed fixed in 1.39.9 per GitHub security advisory GHSA-h77h-c6hc-qc9h. No public exploit has been identified at time of analysis, and exploitation requires authenticated access plus a connection-pooling client architecture, substantially limiting real-world risk.

Code Injection Redis Dragonfly
NVD GitHub
CVSS 4.0
2.3
EPSS
0.3%
CVE-2026-24124 Go CRITICAL POC PATCH Act Now

Dragonfly P2P file distribution system versions 2.4.1-rc.0 and below have a missing authentication vulnerability allowing unauthenticated access to the management API.

Authentication Bypass Dragonfly Suse
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-59410 Go MEDIUM PATCH This Month

Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Dragonfly Suse
NVD GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-59354 Go MEDIUM PATCH This Month

Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Dragonfly Suse
NVD GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-59353 Go HIGH POC PATCH This Week

Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Dragonfly Suse
NVD GitHub
CVSS 4.0
7.7
EPSS
0.1%
CVE-2025-59352 Go MEDIUM PATCH This Month

Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

RCE Path Traversal Dragonfly Suse
NVD GitHub
CVSS 4.0
6.9
EPSS
0.8%
CVE-2025-59351 Go LOW PATCH Monitor

Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Denial Of Service Null Pointer Dereference Dragonfly
NVD GitHub
CVSS 4.0
2.7
EPSS
0.1%
CVE-2025-59350 Go LOW PATCH Monitor

Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Dragonfly
NVD GitHub
CVSS 4.0
2.7
EPSS
0.1%
CVE-2025-59349 Go LOW PATCH Monitor

Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated low severity (CVSS 2.0), this vulnerability is no authentication required, low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.

Information Disclosure Dragonfly
NVD GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-59348 Go MEDIUM PATCH This Month

Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Dragonfly Suse
NVD GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-59347 Go LOW PATCH Monitor

Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Dragonfly
NVD GitHub
CVSS 4.0
2.7
EPSS
0.0%
CVE-2025-59346 Go MEDIUM PATCH This Month

Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Dragonfly Suse
NVD GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-59345 Go HIGH PATCH This Week

Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Dragonfly Suse
NVD GitHub
CVSS 4.0
7.7
EPSS
0.1%
CVE-2025-26269 LOW POC PATCH Monitor

DragonflyDB Dragonfly through 1.28.2 (fixed in 1.29.0) allows authenticated users to cause a denial of service (daemon crash) via a Lua library command that references a large negative integer. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. Public exploit code available.

Integer Overflow Denial Of Service Dragonfly
NVD GitHub
CVSS 3.1
3.3
EPSS
0.1%
CVE-2025-26268 LOW POC PATCH Monitor

DragonflyDB Dragonfly before 1.27.0 allows authenticated users to cause a denial of service (daemon crash) via a crafted Redis command. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. Public exploit code available.

Denial Of Service Redis Dragonfly
NVD GitHub
CVSS 3.1
3.3
EPSS
0.2%
CVE-2022-41967 HIGH PATCH This Week

Dragonfly is a Java runtime dependency management library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Java XXE Dragonfly
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2021-33564 Ruby CRITICAL POC PATCH THREAT Act Now

An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Dragonfly
NVD GitHub
CVSS 3.1
9.8
EPSS
72.2%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial of service in DragonflyDB before 1.39.0 lets an unauthenticated attacker crash the entire server with a single ~24-byte RESTORE command carrying a malformed listpack payload, triggering an out-of-bounds read (SIGSEGV). Because Dragonfly ships with no authentication enabled by default and RESTORE is an ordinary keyspace command, any client that can reach the port can repeatedly kill the process. No CISA KEV listing exists, but the fixing pull request publishes the exact crash payloads as regression tests, so working trigger data is effectively public.

Denial Of Service Buffer Overflow Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

RESP protocol injection in Dragonfly's EvalSerializer allows an authenticated low-privilege user to embed raw CRLF sequences inside Lua redis.error_reply() and redis.status_reply() return values, causing response stream desynchronization for connection-pool clients. All Dragonfly releases prior to 1.39.9 are affected; the vulnerability is confirmed fixed in 1.39.9 per GitHub security advisory GHSA-h77h-c6hc-qc9h. No public exploit has been identified at time of analysis, and exploitation requires authenticated access plus a connection-pooling client architecture, substantially limiting real-world risk.

Code Injection Redis Dragonfly
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Dragonfly P2P file distribution system versions 2.4.1-rc.0 and below have a missing authentication vulnerability allowing unauthenticated access to the management API.

Authentication Bypass Dragonfly Suse
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Dragonfly Suse
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Dragonfly Suse
NVD GitHub
EPSS 0% CVSS 7.7
HIGH POC PATCH This Week

Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Dragonfly Suse
NVD GitHub
EPSS 1% CVSS 6.9
MEDIUM PATCH This Month

Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

RCE Path Traversal Dragonfly +1
NVD GitHub
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Denial Of Service Null Pointer Dereference Dragonfly
NVD GitHub
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Dragonfly
NVD GitHub
EPSS 0% CVSS 2.0
LOW PATCH Monitor

Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated low severity (CVSS 2.0), this vulnerability is no authentication required, low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.

Information Disclosure Dragonfly
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Dragonfly Suse
NVD GitHub
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Dragonfly
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Dragonfly Suse
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Dragonfly is an open source P2P-based file distribution and image acceleration system. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Dragonfly Suse
NVD GitHub
EPSS 0% CVSS 3.3
LOW POC PATCH Monitor

DragonflyDB Dragonfly through 1.28.2 (fixed in 1.29.0) allows authenticated users to cause a denial of service (daemon crash) via a Lua library command that references a large negative integer. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. Public exploit code available.

Integer Overflow Denial Of Service Dragonfly
NVD GitHub
EPSS 0% CVSS 3.3
LOW POC PATCH Monitor

DragonflyDB Dragonfly before 1.27.0 allows authenticated users to cause a denial of service (daemon crash) via a crafted Redis command. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. Public exploit code available.

Denial Of Service Redis Dragonfly
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Dragonfly is a Java runtime dependency management library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Java XXE Dragonfly
NVD GitHub
EPSS 72% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Dragonfly
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy