x/vulndb: potential Go vuln in github.com/dragonflyoss/dragonfly: GHSA-hx2h-vjw2-8r54 #3973
Description
Advisory GHSA-hx2h-vjw2-8r54 references a vulnerability in the following Go modules:
| Module |
|---|
| d7y.io/dragonfly/v2 |
| github.com/dragonflyoss/dragonfly |
Description:
Impact
The DragonFly2 uses a variety of hash functions, including the MD5 hash. This algorithm does not provide collision resistance; it is secure only against preimage attacks. While these security guarantees may be enough for the DragonFly2 system, it is not completely clear if there are any scenarios where lack of the collision resistance would compromise the system. There are no clear benefits to keeping the MD5 hash function in the system.
var pieceDigests []string
for i := int32(0); i < t.TotalPieces; i++ {
pieceDigests = append(pieceDigests, t.Pieces[i].Md5)
}
dige...
References:
- ADVISORY: https://github.com/advisories/GHSA-hx2h-vjw2-8r54
- ADVISORY: https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-hx2h-vjw2-8r54
- WEB: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
Cross references:
- d7y.io/dragonfly/v2 appears in 1 other report(s):
- data/reports/GO-2024-3136.yaml (https://github.com/golang/vulndb/issues/3136)
See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.id: GO-ID-PENDING
modules:
- module: d7y.io/dragonfly/v2
versions:
- fixed: 2.1.0
vulnerable_at: 2.1.0-rc.0
- module: github.com/dragonflyoss/dragonfly
vulnerable_at: 1.0.6
summary: DragonFly has weak integrity checks for downloaded files in d7y.io/dragonfly
cves:
- CVE-2025-59354
ghsas:
- GHSA-hx2h-vjw2-8r54
references:
- advisory: GHSA-hx2h-vjw2-8r54
- advisory: GHSA-hx2h-vjw2-8r54
- web: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
source:
id: GHSA-hx2h-vjw2-8r54
created: 2025-09-17T21:01:21.573906093Z
review_status: UNREVIEWED