Dragonfly P2P File Distribution System Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Dragonfly, an open-source P2P-based file distribution and image acceleration system. This vulnerability exists in versions prior to 2.1.0 and allows users to manipulate Dragonfly's components into making requests to internal services that are otherwise inaccessible. The issue stems from the Manager API's weak validation of user-supplied URLs when creating Preheat jobs. This flaw enables peers to trigger requests to arbitrary URLs, which can be redirected to internal services, potentially exposing or probing internal HTTP endpoints.

Impact

Exploitation of this vulnerability allows for unauthorized access to internal services through SSRF, which could be used to probe or access sensitive internal HTTP endpoints.

Reproduction

To reproduce this vulnerability, create a Preheat job using the Manager API and provide a malicious URL. The weak validation will allow the request to be sent to an internal service. Alternatively, trigger the pieceManager.DownloadSource method on a peer, which will fetch metadata from a URL and can be redirected to internal services.

Remediation

Users are advised to upgrade to Dragonfly version 2.1.0 or later.