CVE-2025-59347
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-17

Last updated on: 2025-09-18

Assigner: GitHub, Inc.

Description
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The Manager disables TLS certificate verification in HTTP clients. The clients are not configurable, so users have no way to re-enable the verification. A Manager processes dozens of preheat jobs. An adversary performs a network-level Man-in-the-Middle attack, providing invalid data to the Manager. The Manager preheats with the wrong data, which later causes a denial of service and file integrity problems. This vulnerability is fixed in 2.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-17
Last Modified
2025-09-18
Generated
2026-06-16
AI Q&A
2025-09-17
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59347
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxfoundation dragonfly to 2.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Dragonfly versions prior to 2.1.0, where the Manager disables TLS certificate verification in HTTP clients and does not allow users to re-enable it. This allows an attacker performing a network-level Man-in-the-Middle attack to provide invalid data to the Manager. As a result, the Manager preheats with incorrect data, leading to denial of service and file integrity issues.

Impact Analysis

The vulnerability can lead to denial of service and file integrity problems because the Manager may process and distribute incorrect data supplied by an attacker. This can disrupt normal operations and compromise the reliability of the file distribution system.

Mitigation Strategies

Upgrade Dragonfly to version 2.1.0 or later, as this version fixes the vulnerability by enabling TLS certificate verification in HTTP clients. Until then, be aware that the Manager disables TLS certificate verification and is vulnerable to Man-in-the-Middle attacks causing denial of service and file integrity issues.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59347. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart