CVE-2025-59347

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The Manager disables TLS certificate verification in HTTP clients. The clients are not configurable, so users have no way to re-enable the verification. A Manager processes dozens of preheat jobs. An adversary performs a network-level Man-in-the-Middle attack, providing invalid data to the Manager. The Manager preheats with the wrong data, which later causes a denial of service and file integrity problems. This vulnerability is fixed in 2.1.0.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf	Product
https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-98x5-jw98-6c97	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:linuxfoundation:dragonfly:*:*:*:*:*:go:*:*

History

17 Jun 2026, 09:45

Type	Values Removed	Values Added
Summary		(es) Dragonfly es un sistema de distribución de archivos y aceleración de imágenes de código abierto basado en P2P. Antes de la versión 2.1.0, The Manager deshabilita la verificación de certificados TLS en los clientes HTTP. Los clientes no son configurables, por lo que los usuarios no tienen forma de volver a habilitar la verificación. Un Manager procesa docenas de trabajos de precalentamiento. Un adversario realiza un ataque man-in-the-middle a nivel de red, proporcionando datos no válidos al Manager. El Manager precalienta con los datos incorrectos, lo que posteriormente causa una denegación de servicio y problemas de integridad de archivos. Esta vulnerabilidad se corrige en la versión 2.1.0.

18 Sep 2025, 20:19

Type	Values Removed	Values Added
References	~~() https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf -~~	() https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf - Product
References	~~() https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-98x5-jw98-6c97 -~~	() https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-98x5-jw98-6c97 - Patch, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
First Time		Linuxfoundation Linuxfoundation dragonfly
CPE		cpe:2.3:a:linuxfoundation:dragonfly::::::go::*

17 Sep 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-09-17 20:15

Updated : 2026-06-17 09:45

NVD link : CVE-2025-59347

Mitre link : CVE-2025-59347

CVE.ORG link : CVE-2025-59347

JSON object : View

Products Affected

linuxfoundation

dragonfly

CWE

CWE-295

Improper Certificate Validation

6.5 /10