CVE-2025-59410

Name of the Vulnerable Software and Affected Versions Dragonfly versions prior to 2.1.0

Description Dragonfly, an open source P2P-based file distribution and image acceleration system, is susceptible to a Man-in-the-Middle attack. The scheduler for downloading small files was configured to use the HTTP protocol instead of HTTPS. This allows an attacker to intercept and modify network requests, potentially replacing legitimate data with malicious content. The vulnerability is exacerbated by weak integrity checks. The vulnerable code segment is located within the DownloadTinyFile() function. The target URL used in the vulnerable function is: http://${host}:${port}/download/${taskIndex}/${taskID}?peerId=${peerID}.

Recommendations Upgrade to Dragonfly version 2.1.0 or later.