CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-59354 – Dragonfly has weak integrity checks for downloaded files
https://notcve.org/view.php?id=CVE-2025-59354
17 Sep 2025 — Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the DragonFly2 uses a variety of hash functions, including the MD5 hash, for downloaded files. This allows attackers to replace files with malicious ones that have a colliding hash. This vulnerability is fixed in 2.1.0. These are all security issues fixed in the govulncheck-vulndb-0.0.20250924T192141-1.1 package on the GA media of openSUSE Tumbleweed. • https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf • CWE-328: Use of Weak Hash •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2025-59353 – Manager generates mTLS certificates for arbitrary IP addresses
https://notcve.org/view.php?id=CVE-2025-59353
17 Sep 2025 — Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, a peer can obtain a valid TLS certificate for arbitrary IP addresses, effectively rendering the mTLS authentication useless. The issue is that the Manager’s Certificate gRPC service does not validate if the requested IP addresses “belong to” the peer requesting the certificate—that is, if the peer connects from the same IP address as the one provided in the certificate request. This vulnerability is fixed ... • https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf • CWE-295: Improper Certificate Validation CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-59352 – Dragonfly allows arbitrary file read and write on a peer machine
https://notcve.org/view.php?id=CVE-2025-59352
17 Sep 2025 — Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the gRPC API and HTTP APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal other peers’ secret data and to gain remote code execution (RCE) capabilities on the peer’s machine.This vulnerability is fixed in 2.1.0. These are all security issues fixed in the govulncheck-vulndb-0.0.20250924T19... • https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-202: Exposure of Sensitive Information Through Data Queries •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-59351 – Dragonfly possibly panics due to nil pointer dereference when using variables created alongside an error
https://notcve.org/view.php?id=CVE-2025-59351
17 Sep 2025 — Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the first return value of a function is dereferenced even when the function returns an error. This can result in a nil dereference, and cause code to panic. This vulnerability is fixed in 2.1.0. These are all security issues fixed in the govulncheck-vulndb-0.0.20250924T192141-1.1 package on the GA media of openSUSE Tumbleweed. • https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf • CWE-476: NULL Pointer Dereference •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-59350 – Timing attacks against Proxy’s basic authentication are possible
https://notcve.org/view.php?id=CVE-2025-59350
17 Sep 2025 — Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one character at a time by sending all possible characters to a vulnerable mechanism and measuring the comparison instruction’s execution times. This vulnerability is fixed in 2.1.0. These are all security issues fixed in the govulncheck-... • https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf • CWE-208: Observable Timing Discrepancy •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-59349 – Directories created via os.MkdirAll are not checked for permissions
https://notcve.org/view.php?id=CVE-2025-59349
17 Sep 2025 — Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given directory path already exists. This allows a local attacker to create a directory to be used later by DragonFly2 with broad permissions before DragonFly2 does so, potentially allowing the attacker to tamper with the files. This vulner... • https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-59348 – Dragonfly incorrectly handles a task structure’s usedTraffic field
https://notcve.org/view.php?id=CVE-2025-59348
17 Sep 2025 — Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the processPieceFromSource method does not update the structure’s usedTraffic field, because an uninitialized variable n is used as a guard to the AddTraffic method call, instead of the result.Size variable. A task is processed by a peer. The usedTraffic metadata is not updated during the processing. Rate limiting is incorrectly applied, leading to a denial-of-service condition for the peer. • https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf • CWE-457: Use of Uninitialized Variable •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-59347 – Dragonfly Manager makes requests to external endpoints with disabled TLS authentication
https://notcve.org/view.php?id=CVE-2025-59347
17 Sep 2025 — Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The Manager disables TLS certificate verification in HTTP clients. The clients are not configurable, so users have no way to re-enable the verification. A Manager processes dozens of preheat jobs. An adversary performs a network-level Man-in-the-Middle attack, providing invalid data to the Manager. • https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf • CWE-295: Improper Certificate Validation •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-59346 – Dragonfly server-side request forgery vulnerability
https://notcve.org/view.php?id=CVE-2025-59346
17 Sep 2025 — Dragonfly is an open source P2P-based file distribution and image acceleration system. Versions prior to 2.1.0 contain a server-side request forgery (SSRF) vulnerability that enables users to force DragonFly2’s components to make requests to internal services that are otherwise not accessible to them. The issue arises because the Manager API accepts a user-supplied URL when creating a Preheat job with weak validation, peers can trigger other peers to fetch an arbitrary URL through pieceManager.DownloadSourc... • https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.8EPSS: 0%CPEs: 46EXPL: 0CVE-2025-20705
https://notcve.org/view.php?id=CVE-2025-20705
01 Sep 2025 — In monitor_hang, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS09989078; Issue ID: MSV-3964. • https://corp.mediatek.com/product-security-bulletin/September-2025 • CWE-416: Use After Free •