CVE-2025-59353— Manager generates mTLS certificates for arbitrary IP addresses
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-59353
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Manager generates mTLS certificates for arbitrary IP addresses
Source: NVD (National Vulnerability Database)
Vulnerability Description
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, a peer can obtain a valid TLS certificate for arbitrary IP addresses, effectively rendering the mTLS authentication useless. The issue is that the Manager’s Certificate gRPC service does not validate if the requested IP addresses “belong to” the peer requesting the certificate—that is, if the peer connects from the same IP address as the one provided in the certificate request. This vulnerability is fixed in 2.1.0.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
证书验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Dragonfly 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Dragonfly是DragonflyDB开源的一个框架,可以对任何内容类型进行动态处理。 Dragonfly 2.1.0之前版本存在安全漏洞,该漏洞源于Manager的Certificate gRPC服务未验证请求IP地址是否属于请求证书的对等节点,可能导致mTLS身份验证失效。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| dragonflyoss | dragonfly | < 2.1.0 | - |
II. Public POCs for CVE-2025-59353
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-59353
请登录查看更多情报信息。
Same Patch Batch · dragonflyoss · 2025-09-17 · 11 CVEs total
| CVE-2025-59350 | Timing attacks against Proxy’s basic authentication are possible | |
| CVE-2025-59352 | Dragonfly allows arbitrary file read and write on a peer machine | |
| CVE-2025-59345 | Dragonfly did not enable authentication for some Manager’s endpoints | |
| CVE-2025-59348 | Dragonfly incorrectly handles a task structure’s usedTraffic field | |
| CVE-2025-59347 | Dragonfly Manager makes requests to external endpoints with disabled TLS authentication | |
| CVE-2025-59351 | Dragonfly possibly panics due to nil pointer dereference when using variables created alon | |
| CVE-2025-59346 | Dragonfly server-side request forgery vulnerability | |
| CVE-2025-59349 | Directories created via os.MkdirAll are not checked for permissions | |
| CVE-2025-59410 | Dragonfly tiny file download uses hard coded HTTP protocol | |
| CVE-2025-59354 | Dragonfly has weak integrity checks for downloaded files |
IV. Related Vulnerabilities
Same product: dragonfly
- CVE-2026-24124
Dragonfly Manager Job API Allows Unauthenticated Access - CVE-2025-59410
Dragonfly tiny file download uses hard coded HTTP protocol - CVE-2025-59354
Dragonfly has weak integrity checks for downloaded files - CVE-2025-59352
Dragonfly allows arbitrary file read and write on a peer mac - CVE-2025-59351
Dragonfly possibly panics due to nil pointer dereference whe
Same vendor: dragonflyoss
- CVE-2026-24124
Dragonfly Manager Job API Allows Unauthenticated Access - CVE-2025-59410
Dragonfly tiny file download uses hard coded HTTP protocol - CVE-2025-59354
Dragonfly has weak integrity checks for downloaded files - CVE-2025-59352
Dragonfly allows arbitrary file read and write on a peer mac - CVE-2025-59351
Dragonfly possibly panics due to nil pointer dereference whe
Same weakness: CWE-295
V. Comments for CVE-2025-59353
No comments yet