CVE-2025-59347
published 2025-09-17CVE-2025-59347: Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The Manager disables TLS certificate verification in…
PriorityP336medium6.5CVSS 3.1
AVNACHPRNUINSUCNILAH
EPSS
0.16%
5.4th percentile
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The Manager disables TLS certificate verification in HTTP clients. The clients are not configurable, so users have no way to re-enable the verification. A Manager processes dozens of preheat jobs. An adversary performs a network-level Man-in-the-Middle attack, providing invalid data to the Manager. The Manager preheats with the wrong data, which later causes a denial of service and file integrity problems. This vulnerability is fixed in 2.1.0.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| d7y.io | dragonfly_v2 | >= 0 < 2.1.0 | 2.1.0 |
| dragonflyoss | dragonfly | < 2.1.0 | 2.1.0 |
| github.com | dragonflyoss_dragonfly | >= 0 < 2.1.0 | 2.1.0 |
| linuxfoundation | dragonfly | < 2.1.0 | 2.1.0 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
nvdv4.02.7LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:L/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Dragonfly's manager makes requests to external endpoints with disabled TLS authentication in d7y.io/dragonfly
osv·2025-09-24
CVE-2025-59347 Dragonfly's manager makes requests to external endpoints with disabled TLS authentication in d7y.io/dragonfly
Dragonfly's manager makes requests to external endpoints with disabled TLS authentication in d7y.io/dragonfly
Dragonfly's manager makes requests to external endpoints with disabled TLS authentication in d7y.io/dragonfly
OSV
Dragonfly's manager makes requests to external endpoints with disabled TLS authentication
osv·2025-09-17
CVE-2025-59347 [MEDIUM] Dragonfly's manager makes requests to external endpoints with disabled TLS authentication
Dragonfly's manager makes requests to external endpoints with disabled TLS authentication
### Impact
The Manager disables TLS certificate verification in two HTTP clients (figures 3.1 and 3.2). The clients are not configurable, so users have no way to re-enable the verification.
```golang
func getAuthToken(ctx context.Context, header http.Header) (string, error) { [skipped]
client := &http.Client{
Timeout: defaultHTTPRequesttimeout,
Transport: &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
},
}
[skipped]
}
```
A Manager processes dozens of preheat jobs. An adversary performs a network-level Man-in-the-Middle attack, providing invalid data to the Manager. The Manager preheats with the wrong data, which later causes a denial of service and file integrity problem
GHSA
Dragonfly's manager makes requests to external endpoints with disabled TLS authentication
ghsa·2025-09-17
CVE-2025-59347 [MEDIUM] CWE-287 Dragonfly's manager makes requests to external endpoints with disabled TLS authentication
Dragonfly's manager makes requests to external endpoints with disabled TLS authentication
### Impact
The Manager disables TLS certificate verification in two HTTP clients (figures 3.1 and 3.2). The clients are not configurable, so users have no way to re-enable the verification.
```golang
func getAuthToken(ctx context.Context, header http.Header) (string, error) { [skipped]
client := &http.Client{
Timeout: defaultHTTPRequesttimeout,
Transport: &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
},
}
[skipped]
}
```
A Manager processes dozens of preheat jobs. An adversary performs a network-level Man-in-the-Middle attack, providing invalid data to the Manager. The Manager preheats with the wrong data, which later causes a denial of service and file integrity problem
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-17
Published