{"id":"CVE-2025-59410","summary":"Dragonfly tiny file download uses hard coded HTTP protocol","details":"Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the code in the scheduler for downloading a tiny file is hard coded to use the HTTP protocol, rather than HTTPS. This means that an attacker could perform a Man-in-the-Middle attack, changing the network request so that a different piece of data gets downloaded. This vulnerability is fixed in 2.1.0.","aliases":["GHSA-mcvp-rpgg-9273","GO-2025-3974"],"modified":"2026-04-02T12:57:03.793969Z","published":"2025-09-17T19:58:54.083Z","related":["SUSE-SU-2025:3799-1","openSUSE-SU-2025:15576-1"],"database_specific":{"cwe_ids":["CWE-311"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59410.json"},"references":[{"type":"WEB","url":"https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59410.json"},{"type":"ADVISORY","url":"https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-mcvp-rpgg-9273"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59410"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/dragonflyoss/dragonfly","events":[{"introduced":"0"},{"fixed":"8f6f20b604bb540c39db5fb7020926e6db2dd9c8"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.1.0"}]}}],"versions":["v2.1.0-beta.1","v2.1.0-beta.2","v2.1.0-beta.3","v2.1.0-beta.4","v2.1.0-rc.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59410.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/dragonflyoss/dragonfly2","events":[{"introduced":"0"},{"fixed":"8f6f20b604bb540c39db5fb7020926e6db2dd9c8"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.1.0"}]}}],"versions":["v2.1.0-beta.1","v2.1.0-beta.2","v2.1.0-beta.3","v2.1.0-beta.4","v2.1.0-rc.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59410.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}]}