CVE-2025-59353: DragonFly's manager generates mTLS certificates for arbitrary IP addresses

September 17, 2025 (updated September 18, 2025)

A peer can obtain a valid TLS certificate for arbitrary IP addresses, effectively rendering the mTLS authentication useless. The issue is that the Manager’s Certificate gRPC service does not validate if the requested IP addresses “belong to” the peer requesting the certificate—that is, if the peer connects from the same IP address as the one provided in the certificate request.

if addr, ok := p.Addr.(*net.TCPAddr); ok {
ip = addr.IP.String()
} else {
ip, _, err = net.SplitHostPort(p.Addr.String())
if err != nil {
return nil, err
}
}
// Parse csr.
[skipped]
// Check csr signature.
// TODO check csr common name and so on.
if err = csr.CheckSignature(); err != nil {
return nil, err
}
[skipped]
// TODO only valid for peer ip
// BTW we need support both of ipv4 and ipv6.
ips := csr.IPAddresses
if len(ips) == 0 {
// Add default connected ip.
ips = []net.IP{net.ParseIP(ip)}
}

References

Code Behaviors & Features

Detect and mitigate CVE-2025-59353 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →