Dragonfly Manager makes requests to external endpoints with disabled TLS authentication
Description
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The Manager disables TLS certificate verification in HTTP clients. The clients are not configurable, so users have no way to re-enable the verification. A Manager processes dozens of preheat jobs. An adversary performs a network-level Man-in-the-Middle attack, providing invalid data to the Manager. The Manager preheats with the wrong data, which later causes a denial of service and file integrity problems. This vulnerability is fixed in 2.1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dragonfly Manager's HTTP clients disable TLS certificate verification, enabling MitM attacks that cause denial of service and file integrity issues.
Vulnerability
Overview
In Dragonfly versions prior to 2.1.0, the Manager component disables TLS certificate verification in its HTTP clients (see code in getAuthToken). The tls.Config is set with InsecureSkipVerify: true, and the clients are not configurable, so users cannot re-enable verification [1][4]. This means the Manager will accept any TLS certificate, including self-signed or malicious ones, when making HTTP requests.
Exploitation
An adversary with network-level access (i.e., in a position to perform a Man-in-the-Middle attack) can intercept traffic between the Manager and external endpoints. Since the Manager processes dozens of preheat jobs, the attacker can supply invalid data to the Manager. The Manager will trust this data because TLS verification is disabled [1][4].
Impact
By feeding the Manager incorrect data, an attacker can cause the system to preheat with the wrong content. This leads to denial of service (e.g., unavailable or incorrect artifacts) and file integrity problems, as the system distributes corrupted or unexpected files to peers [1][4].
Mitigation
The vulnerability is fixed in Dragonfly v2.1.0. No effective workarounds exist beyond upgrading to the patched version [4]. Users should update their deployments to at least 2.1.0 to eliminate the risk of MitM attacks exploiting this TLS verification weakness.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/dragonflyoss/dragonflyGo | < 2.1.0 | 2.1.0 |
d7y.io/dragonfly/v2Go | < 2.1.0 | 2.1.0 |
Affected products
2- Range: <2.1.0
- dragonflyoss/dragonflyv5Range: < 2.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-98x5-jw98-6c97ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59347ghsaADVISORY
- github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdfghsax_refsource_MISCWEB
- github.com/dragonflyoss/dragonfly/security/advisories/GHSA-98x5-jw98-6c97ghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2025-3966ghsaWEB
News mentions
0No linked articles in our index yet.