CVE-2025-59353
published 2025-09-17CVE-2025-59353: Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, a peer can obtain a valid TLS certificate for arbitrary…
PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
0.22%
12.3th percentile
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, a peer can obtain a valid TLS certificate for arbitrary IP addresses, effectively rendering the mTLS authentication useless. The issue is that the Manager’s Certificate gRPC service does not validate if the requested IP addresses “belong to” the peer requesting the certificate—that is, if the peer connects from the same IP address as the one provided in the certificate request. This vulnerability is fixed in 2.1.0.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| d7y.io | dragonfly_v2 | >= 0 < 2.1.0 | 2.1.0 |
| dragonflyoss | dragonfly | < 2.1.0 | 2.1.0 |
| github.com | dragonflyoss_dragonfly | >= 0 < 2.1.0 | 2.1.0 |
| linuxfoundation | dragonfly | < 2.1.0 | 2.1.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
DragonFly's manager generates mTLS certificates for arbitrary IP addresses in d7y.io/dragonfly
osv·2025-09-24
CVE-2025-59353 DragonFly's manager generates mTLS certificates for arbitrary IP addresses in d7y.io/dragonfly
DragonFly's manager generates mTLS certificates for arbitrary IP addresses in d7y.io/dragonfly
DragonFly's manager generates mTLS certificates for arbitrary IP addresses in d7y.io/dragonfly
OSV
DragonFly's manager generates mTLS certificates for arbitrary IP addresses
osv·2025-09-17
CVE-2025-59353 [HIGH] DragonFly's manager generates mTLS certificates for arbitrary IP addresses
DragonFly's manager generates mTLS certificates for arbitrary IP addresses
### Impact
A peer can obtain a valid TLS certificate for arbitrary IP addresses, effectively rendering the mTLS authentication useless. The issue is that the Manager’s Certificate gRPC service does not validate if the requested IP addresses “belong to” the peer requesting the certificate—that is, if the peer connects from the same IP address as the one provided in the certificate request.
```golang
if addr, ok := p.Addr.(*net.TCPAddr); ok {
ip = addr.IP.String()
} else {
ip, _, err = net.SplitHostPort(p.Addr.String())
if err != nil {
return nil, err
}
}
// Parse csr.
[skipped]
// Check csr signature.
// TODO check csr common name and so on.
if err = csr.CheckSignature(); err != nil {
return nil, err
}
[skipped]
//
GHSA
DragonFly's manager generates mTLS certificates for arbitrary IP addresses
ghsa·2025-09-17
CVE-2025-59353 [HIGH] CWE-295 DragonFly's manager generates mTLS certificates for arbitrary IP addresses
DragonFly's manager generates mTLS certificates for arbitrary IP addresses
### Impact
A peer can obtain a valid TLS certificate for arbitrary IP addresses, effectively rendering the mTLS authentication useless. The issue is that the Manager’s Certificate gRPC service does not validate if the requested IP addresses “belong to” the peer requesting the certificate—that is, if the peer connects from the same IP address as the one provided in the certificate request.
```golang
if addr, ok := p.Addr.(*net.TCPAddr); ok {
ip = addr.IP.String()
} else {
ip, _, err = net.SplitHostPort(p.Addr.String())
if err != nil {
return nil, err
}
}
// Parse csr.
[skipped]
// Check csr signature.
// TODO check csr common name and so on.
if err = csr.CheckSignature(); err != nil {
return nil, err
}
[skipped]
//
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-17
Published