CVE-2025-59354
BaseFortify
Publication date: 2025-09-17
Last updated on: 2025-09-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | dragonfly | to 2.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-328 | The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Dragonfly, an open source P2P-based file distribution and image acceleration system. Prior to version 2.1.0, Dragonfly used various hash functions including MD5 to verify downloaded files. Because MD5 is vulnerable to hash collisions, attackers could exploit this by replacing legitimate files with malicious ones that have the same hash value, allowing the malicious files to be accepted as valid.
How can this vulnerability impact me? :
This vulnerability can allow attackers to replace legitimate files distributed by Dragonfly with malicious files that have colliding hashes. This can lead to the execution or distribution of malicious code or corrupted data, potentially compromising system integrity and security.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Dragonfly to version 2.1.0 or later, as this version fixes the vulnerability by removing the use of weak hash functions like MD5 for downloaded files.