Listen to this Post
The vulnerability exists within the Manager component of Dragonfly, specifically affecting its web UI endpoints. The `/api/v1/jobs` and `/preheats` API endpoints were implemented without any authentication mechanisms. This design flaw allows any network request reaching the Manager’s port to interact with these endpoints freely. An attacker can send crafted HTTP POST requests to the `/api/v1/jobs` endpoint to create new, resource-intensive jobs. By flooding the endpoint with such requests, the Manager’s resources are exhausted, leading to a denial-of-service condition where legitimate administrative requests can no longer be processed. Similarly, the `/preheats` endpoint can be abused to trigger unauthorized preheating operations.
Platform: Dragonfly
Version: < 2.1.6
Vulnerability: Auth Bypass
Severity: High
date: 2025-09-17
Prediction: Patch 2025-09-24
What Undercode Say:
`curl -X POST http://
`netstat -tlnp | grep `
`iptables -A INPUT -p tcp –dport
How Exploit:
Send unauthenticated POST requests to /api/v1/jobs to create numerous jobs, consuming system resources and causing a DoS.
Protection from this CVE
Upgrade to version 2.1.6 or later which implements authentication checks on the affected endpoints. If immediate upgrade is not possible, restrict network access to the Manager’s web UI port using firewall rules.
Impact:
Denial-of-Service (DoS) condition rendering the Manager unresponsive, unauthorized creation and deletion of jobs, and unauthorized triggering of preheat operations.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

