Cyber Resilience

CVE-2025-59350

Low

Published: 17 September 2025

Published
17 September 2025
Modified
18 September 2025
KEV Added
Patch
CVSS Score v4 2.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0015 35.3th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59350 is a low-severity Observable Timing Discrepancy (CWE-208) vulnerability in Linuxfoundation Dragonfly. Its CVSS base score is 2.7 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 35.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess…

more

the password one character at a time by sending all possible characters to a vulnerable mechanism and measuring the comparison instruction’s execution times. This vulnerability is fixed in 2.1.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Why these techniques?

Vulnerability in Proxy basic authentication enables timing attacks for efficient password guessing by measuring string comparison execution times character-by-character.

Affected Assets

linuxfoundation
dragonfly
≤ 2.1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-208

Timing randomization or delays can mask true operation timing and mislead timing-based attacks.

addresses: CWE-208

Observable timing discrepancies are a primary mechanism for constructing covert timing channels; analysis identifies and bounds them, limiting exploitation.

References