Manager generates mTLS certificates for arbitrary IP addresses
Description
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, a peer can obtain a valid TLS certificate for arbitrary IP addresses, effectively rendering the mTLS authentication useless. The issue is that the Manager’s Certificate gRPC service does not validate if the requested IP addresses “belong to” the peer requesting the certificate—that is, if the peer connects from the same IP address as the one provided in the certificate request. This vulnerability is fixed in 2.1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Dragonfly before 2.1.0, the Manager's Certificate gRPC Certificate service does not validate that requested IPs belong to the peer, allowing arbitrary mTLS certificate issuance.
Vulnerability
Overview
CVE-2025-59353 is a critical authentication bypass vulnerability in Dragonfly, an open-source P2P file distribution and image acceleration system. Prior to version 2.1.0, the Manager's Certificate gRPC service fails to verify whether the IP addresses requested in a certificate signing request (CSR) actually belong to the peer making the request [1][4]. The code contains a TODO comment indicating that IP validation was never implemented, and the service only checks the CSR signature without verifying that the requested IPs match the peer's connection address [4].
Exploitation
An attacker can exploit this by connecting to the Manager and submitting a CSR that includes arbitrary IP addresses. The service will issue a valid TLS certificate for those IPs, regardless of whether the attacker controls them [1][4]. The vulnerability is present in the certificate generation logic, where the peer's connected IP is parsed but only used as a fallback if the CSR contains no IP addresses [4].
Impact
Successful exploitation allows a malicious peer to obtain valid mTLS certificates for any IP address, effectively bypassing mutual TLS authentication. This undermines the security of the entire Dragonfly cluster, enabling an attacker to impersonate other peers or services, intercept traffic, and perform man-in-the-middle attacks [1][4].
Mitigation
The vulnerability is fixed in Dragonfly version 2.1.0 [1][4]. There are no effective workarounds effective workarounds beyond upgrading [4]. Users should update to the latest version immediately to restore mTLS integrity.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/dragonflyoss/dragonflyGo | < 2.1.0 | 2.1.0 |
d7y.io/dragonfly/v2Go | < 2.1.0 | 2.1.0 |
Affected products
2- Range: <2.1.0
- dragonflyoss/dragonflyv5Range: < 2.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-255v-qv84-29p5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59353ghsaADVISORY
- github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdfghsax_refsource_MISCWEB
- github.com/dragonflyoss/dragonfly/security/advisories/GHSA-255v-qv84-29p5ghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2025-3969ghsaWEB
News mentions
0No linked articles in our index yet.