CVE-2025-59347
BaseFortify
Publication date: 2025-09-17
Last updated on: 2025-09-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | dragonfly | to 2.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Dragonfly versions prior to 2.1.0, where the Manager disables TLS certificate verification in HTTP clients and does not allow users to re-enable it. This allows an attacker performing a network-level Man-in-the-Middle attack to provide invalid data to the Manager. As a result, the Manager preheats with incorrect data, leading to denial of service and file integrity issues.
How can this vulnerability impact me? :
The vulnerability can lead to denial of service and file integrity problems because the Manager may process and distribute incorrect data supplied by an attacker. This can disrupt normal operations and compromise the reliability of the file distribution system.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Dragonfly to version 2.1.0 or later, as this version fixes the vulnerability by enabling TLS certificate verification in HTTP clients. Until then, be aware that the Manager disables TLS certificate verification and is vulnerable to Man-in-the-Middle attacks causing denial of service and file integrity issues.