Dragonfly tiny file download uses hard coded HTTP protocol
Description
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the code in the scheduler for downloading a tiny file is hard coded to use the HTTP protocol, rather than HTTPS. This means that an attacker could perform a Man-in-the-Middle attack, changing the network request so that a different piece of data gets downloaded. This vulnerability is fixed in 2.1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dragonfly scheduler's tiny file download uses hardcoded HTTP, enabling MITM attacks; fixed in v2.1.0.
The vulnerability lies in the Dragonfly scheduler's DownloadTinyFile function, which hardcodes the HTTP scheme instead of HTTPS when constructing the download URL for tiny files [1]. This oversight means that the request is transmitted over unencrypted HTTP, making it susceptible to interception and modification by a network-level attacker.
An attacker positioned between the peer and the scheduler can perform a Man-in-the-Middle (MITM) attack, altering the download URL or the data in transit. The advisory notes that this attack is further facilitated by weak integrity checks (TOB-DF2-15), allowing modified data to go undetected [4]. The attacker does not need to join the peer-to-peer network; they only require network access to the communication path.
Successful exploitation allows the attacker to replace legitimate files with malicious ones. Unsuspecting peers then consume these tampered files, potentially leading to supply-chain compromise or other downstream impacts [4].
Dragonfly version 2.1.0 and above contain the fix, which changes the scheme to HTTPS for tiny file downloads. No effective workarounds exist beyond upgrading [4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/dragonflyoss/dragonflyGo | < 2.1.0 | 2.1.0 |
d7y.io/dragonfly/v2Go | < 2.1.0 | 2.1.0 |
Affected products
2- Range: <2.1.0
- dragonflyoss/dragonflyv5Range: < 2.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-mcvp-rpgg-9273ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59410ghsaADVISORY
- github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdfghsax_refsource_MISCWEB
- github.com/dragonflyoss/dragonfly/security/advisories/GHSA-mcvp-rpgg-9273ghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2025-3974ghsaWEB
News mentions
0No linked articles in our index yet.