CVE-2025-59347: Dragonfly's manager makes requests to external endpoints with disabled TLS authentication
(updated )
The Manager disables TLS certificate verification in two HTTP clients (figures 3.1 and 3.2). The clients are not configurable, so users have no way to re-enable the verification.
func getAuthToken(ctx context.Context, header http.Header) (string, error) { [skipped]
client := &http.Client{
Timeout: defaultHTTPRequesttimeout,
Transport: &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
},
}
[skipped]
}
A Manager processes dozens of preheat jobs. An adversary performs a network-level Man-in-the-Middle attack, providing invalid data to the Manager. The Manager preheats with the wrong data, which later causes a denial of service and file integrity problems.
References
- github.com/advisories/GHSA-98x5-jw98-6c97
- github.com/dragonflyoss/dragonfly
- github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
- github.com/dragonflyoss/dragonfly/security/advisories/GHSA-98x5-jw98-6c97
- nvd.nist.gov/vuln/detail/CVE-2025-59347
- pkg.go.dev/vuln/GO-2025-3966
Code Behaviors & Features
Detect and mitigate CVE-2025-59347 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →