CVE-2025-59354

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Dragonfly versions prior to 2.1.0

Description Dragonfly2 uses the MD5 hash function for downloaded files, which does not provide collision resistance. This allows attackers to replace files with malicious ones that have a colliding hash. An attacker, such as Alice, can create an innocent image and a malicious image with colliding MD5 hashes. Bob may unintentionally use the malicious image after downloading it from the peer-to-peer network. The vulnerability is due to the use of the MD5 hash function in the pieceDigests variable and the subsequent comparison with t.PieceMd5Sign.

Recommendations Upgrade to version 2.1.0 or above.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-328

Related Identifiers

CVE-2025-59354

GHSA-HX2H-VJW2-8R54

GO-2025-3973

OPENSUSE-SU-2025:15576-1

SUSE-SU-2025:3799-1

Affected Products

Dragonfly

CVE-2025-59354

Weakness Enumeration

Related Identifiers

Affected Products

References · 47