CVE-2025-59410
BaseFortify
Publication date: 2025-09-17
Last updated on: 2025-09-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | dragonfly | to 2.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-311 | The product does not encrypt sensitive or critical information before storage or transmission. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in Dragonfly prior to version 2.1.0 is that the scheduler for downloading tiny files uses HTTP instead of HTTPS. This allows an attacker to perform a Man-in-the-Middle attack, intercepting and altering the network request so that a different piece of data is downloaded instead of the intended file.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to intercept and modify the data being downloaded through the Dragonfly system. This could lead to downloading malicious or incorrect files, potentially compromising system integrity or security.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Dragonfly to version 2.1.0 or later, as this version fixes the vulnerability by using HTTPS instead of HTTP for downloading tiny files in the scheduler.