Login Sign Up

CVE-2025-59347

6.5 MEDIUM
Denial of Service

📋 TL;DR

Dragonfly Manager versions before 2.1.0 have disabled TLS certificate verification in HTTP clients, making them vulnerable to man-in-the-middle attacks. An attacker can intercept network traffic and provide invalid data during preheat jobs, causing denial of service and file integrity issues. This affects all Dragonfly users running vulnerable Manager instances.

💻 Affected Systems

Products:
  • Dragonfly Manager
Versions: All versions prior to 2.1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Manager component; Scheduler and other components are not vulnerable. The vulnerability exists in the HTTP client configuration which cannot be modified by users.

📦 What is this software?

Dragonfly by Linuxfoundation

View all CVEs affecting Dragonfly →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Adversary provides malicious data during preheat jobs, corrupting distributed files and causing widespread service disruption across the P2P network.

🟠

Likely Case

Network-level MITM attack leads to preheating of incorrect or corrupted data, causing downstream file integrity problems and partial service degradation.

🟢

If Mitigated

With proper network segmentation and TLS verification enabled, impact is limited to potential performance issues without data corruption.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires network-level access to perform MITM attack against Manager's HTTP traffic. No authentication bypass needed as it targets the preheat job processing.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.0

Vendor Advisory: https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-98x5-jw98-6c97

Restart Required: No

Instructions:

1. Upgrade Dragonfly Manager to version 2.1.0 or later. 2. No configuration changes required as TLS verification is now enabled by default. 3. Verify Manager is functioning correctly after upgrade.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Dragonfly Manager network traffic to prevent MITM attacks

Monitor Preheat Jobs

all

Implement monitoring for preheat job failures or data integrity issues

🧯 If You Can't Patch

  • Deploy network-level TLS inspection to detect and block MITM attempts
  • Implement strict network access controls limiting who can communicate with the Manager

🔍 How to Verify

Check if Vulnerable:

Check Dragonfly Manager version; if below 2.1.0, it is vulnerable.

Check Version:

dragonfly-manager --version

Verify Fix Applied:

Verify Manager version is 2.1.0 or higher and check that preheat jobs complete successfully with valid TLS certificates.

📡 Detection & Monitoring

Log Indicators:

  • Failed preheat jobs
  • TLS certificate validation errors
  • Unexpected data sources in preheat logs

Network Indicators:

  • Unusual network traffic patterns to/from Manager
  • MITM detection alerts from network security tools

SIEM Query:

source="dragonfly-manager" AND ("preheat failed" OR "certificate" OR "TLS")

📊 Metadata

CVE ID: CVE-2025-59347
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
CWE: CWE-295
EPSS Score: 0.03% exploit probability (8.2th percentile)
Published: September 17, 2025
Last Updated: September 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59347, you might also want to check these:

CVE-2025-68121 10.0

This vulnerability in Go's crypto/tls package allows TLS session resumption to succeed when it shoul...

Same vulnerability type (CWE-295)
CVE-2024-5261 9.8

LibreOfficeKit mode in LibreOffice versions before 24.2.4 disables TLS certificate verification when...

Same vulnerability type (CWE-295)
CVE-2023-51837 9.8

MeshCentral 1.1.16 fails to properly validate SSL certificates when establishing connections, allowi...

Same vulnerability type (CWE-295)