Dragonfly Manager makes requests to external endpoints with disabled TLS...

2.7 / 10

LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:L/E:U

Description

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The Manager disables TLS certificate verification in HTTP clients. The clients are not configurable, so users have no way to re-enable the verification. A Manager processes dozens of preheat jobs. An adversary performs a network-level Man-in-the-Middle attack, providing invalid data to the Manager. The Manager preheats with the wrong data, which later causes a denial of service and file integrity problems. This vulnerability is fixed in 2.1.0.

Basic Information

ID CVE-2025-59347

Source GitHub_M

Published Sep 17, 2025 at 19:23

Modified Sep 17, 2025 at 19:34

Affected Product

Vendor dragonflyoss

Product dragonfly

Version < 2.1.0

Affected Versions dragonflyoss dragonfly < 2.1.0

CWE Classification

CWE-295

References

{
    "lastseen": "",
    "description": "Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The Manager disables TLS certificate verification in HTTP clients. The clients are not configurable, so users have no way to re-enable the verification. A Manager processes dozens of preheat jobs. An adversary performs a network-level Man-in-the-Middle attack, providing invalid data to the Manager. The Manager preheats with the wrong data, which later causes a denial of service and file integrity problems. This vulnerability is fixed in 2.1.0.",
    "published": "2025-09-17T19:23:20.557Z",
    "modified": "2025-09-17T19:34:06.018Z",
    "type": "cve",
    "title": "Dragonfly Manager makes requests to external endpoints with disabled TLS authentication",
    "source": "GitHub_M",
    "references": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-98x5-jw98-6c97\nhttps://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf",
    "id": "CVE-2025-59347",
    "bulletinFamily": "",
    "cwe": [
        "CWE-295"
    ],
    "cvelist": null,
    "sourceData": "dragonflyoss dragonfly < 2.1.0",
    "sourceHref": "",
    "cvss": {
        "score": 2.7,
        "severity": "LOW",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:L/E:U",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "dragonfly",
    "version": "< 2.1.0",
    "vendor": "dragonflyoss",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Dragonfly Manager makes requests to external endpoints with disabled TLS authentication_CVE-2025-59347