CVE-2025-59410

LOW

Linuxfoundation Dragonfly < 2.1.0 - Missing Encryption

Title source: rule

Description

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the code in the scheduler for downloading a tiny file is hard coded to use the HTTP protocol, rather than HTTPS. This means that an attacker could perform a Man-in-the-Middle attack, changing the network request so that a different piece of data gets downloaded. This vulnerability is fixed in 2.1.0.

References (2)

[Patch, Third Party Advisory] https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-mcvp-rpgg-9273

[Product] https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf

Scores

CVSS v3 3.7

EPSS 0.0002

EPSS Percentile 5.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-311

Status published

Products (3)

dragonfly/v2 0 - 2.1.0Go

dragonflyoss/dragonfly 0 - 2.1.0Go

linuxfoundation/dragonfly < 2.1.0

Published Sep 17, 2025

Tracked Since Feb 18, 2026