CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-chwm-m7g7-685g: Dragonfly scheduler v1 and v2 gRPC unauthenticated SSRF via attacker-controlled PeerHost in DownloadTinyFile

mediumCVE-2026-54637
Summary The Dragonfly scheduler's v1 gRPC service contains an unauthenticated Server-Side Request Forgery (SSRF). When a peer reports a successful download of a TINY task, the scheduler calls Peer.DownloadTinyFile() and issues an HTTP GET to a host and port taken verbatim from the attacker-controlled PeerHost.Ip / PeerHost.DownPort fields of the gRPC request body. The HTTP client uses a bare http.Transport with no address validation, so a remote, unauthenticated client can force the scheduler to connect to arbitrary internal addresses, including 127.0.0.1 (loopback), 169.254.0.0/16 (link-local, e.g. cloud metadata), and RFC1918 ranges. The fetched response is stored in Task.DirectPiece and can subsequently be served to other peers, making this a read-SSRF with a data-exfiltration path. The manager's preheat code path already wraps its HTTP client with nethttp.NewSafeDialer() (which rejects non-global-unicast destinations); the scheduler's DownloadTinyFile path is missing this guard (sibling gap). Severity Medium. The attack requires no authentication (the scheduler gRPC server runs with insecure transport credentials by default and has no auth interceptor), and the destination is fully attacker-controlled. Impact is limited to read-SSRF: blind reachability probing of internal hosts/ports plus exfiltration of up to TinyFileSize (128) bytes per task from internal HTTP services into Task.DirectPiece. It is not remote code execution, and PeerHost.DownPort is constrained by proto validation to >= 1024, which excludes destination port 80. Affected component - Repository: dragonflyoss/dragonfly - Go module: d7y.io/dragonfly/v2 - Component: scheduler, v1 gRPC protocol - Affected file: scheduler/resource/standard/peer.go (DownloadTinyFile), reached via scheduler/service/service_v1.go (storeHost, RegisterPeerTask, ReportPeerResult, handlePeerSuccess) - Verified against: latest release v2.4.4-rc.2 (commit 0822e3aecc3369017d6b25c9441ff6f318129b31) Description / Root caus

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium
Published
2026-07-06
Last updated
2026-07-06
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-chwm-m7g7-685g

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-54637coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories