CVE-2025-59410: DragonFly's tiny file download uses hard coded HTTP protocol

The code in the scheduler for downloading a tiny file is hard coded to use the HTTP protocol, rather than HTTPS. This means that an attacker could perform a Man-in-the-Middle attack, changing the network request so that a different piece of data gets downloaded. Due to the use of weak integrity checks (TOB-DF2-15), this modification of the data may go unnoticed.

// DownloadTinyFile downloads tiny file from peer without range.
func (p *Peer) DownloadTinyFile() ([]byte, error) {
ctx, cancel := context.WithTimeout(context.Background(),
downloadTinyFileContextTimeout)
defer cancel()
// Download url:
http://${host}:${port}/download/${taskIndex}/${taskID}?peerId=${peerID}
targetURL := url.URL{
Scheme:
}
"http",
fmt.Sprintf("%s:%d", p.Host.IP, p.Host.DownloadPort),
fmt.Sprintf("download/%s/%s", p.Task.ID[:3], p.Task.ID),
Host:
Path:
RawQuery: fmt.Sprintf("peerId=%s", p.ID),

A network-level attacker who cannot join a peer-to-peer network performs a Man-in-the-Middle attack on peers. The adversary can do this because peers (partially) communicate over plaintext HTTP protocol. The attack chains this vulnerability with the one described in TOB-DF2-15 to replace correct files with malicious ones. Unconscious peers use the malicious files.