x/vulndb: potential Go vuln in github.com/dragonflyoss/dragonfly: GHSA-255v-qv84-29p5 #3969
Description
Advisory GHSA-255v-qv84-29p5 references a vulnerability in the following Go modules:
| Module |
|---|
| d7y.io/dragonfly/v2 |
| github.com/dragonflyoss/dragonfly |
Description:
Impact
A peer can obtain a valid TLS certificate for arbitrary IP addresses, effectively rendering the mTLS authentication useless. The issue is that the Manager’s Certificate gRPC service does not validate if the requested IP addresses “belong to” the peer requesting the certificate—that is, if the peer connects from the same IP address as the one provided in the certificate request.
if addr, ok := p.Addr.(*net.TCPAddr); ok {
ip = addr.IP.String()
} else {
ip, _, err = net.SplitHostPort(p.Addr.String())
if err != nil {
return nil, err
...
References:
- ADVISORY: https://github.com/advisories/GHSA-255v-qv84-29p5
- ADVISORY: https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-255v-qv84-29p5
- WEB: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
Cross references:
- d7y.io/dragonfly/v2 appears in 1 other report(s):
- data/reports/GO-2024-3136.yaml (https://github.com/golang/vulndb/issues/3136)
See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.id: GO-ID-PENDING
modules:
- module: d7y.io/dragonfly/v2
versions:
- fixed: 2.1.0
vulnerable_at: 2.1.0-rc.0
- module: github.com/dragonflyoss/dragonfly
vulnerable_at: 1.0.6
summary: DragonFly's manager generates mTLS certificates for arbitrary IP addresses in d7y.io/dragonfly
cves:
- CVE-2025-59353
ghsas:
- GHSA-255v-qv84-29p5
references:
- advisory: GHSA-255v-qv84-29p5
- advisory: GHSA-255v-qv84-29p5
- web: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
source:
id: GHSA-255v-qv84-29p5
created: 2025-09-17T21:01:18.003818157Z
review_status: UNREVIEWED