CVE-2025-59347

Name of the Vulnerable Software and Affected Versions Dragonfly versions prior to 2.1.0

Description Dragonfly, an open source P2P-based file distribution and image acceleration system, disables TLS certificate verification in its HTTP clients. These clients are not configurable, preventing users from re-enabling verification. An attacker can perform a Man-in-the-Middle attack, providing invalid data to the Manager, leading to preheating with incorrect data, resulting in denial of service and file integrity issues. The vulnerable code snippet involves the getAuthToken function and the TLSClientConfig within the http.Transport, where InsecureSkipVerify is set to true.

Recommendations Upgrade to version 2.1.0 or later.