x/vulndb: potential Go vuln in github.com/dragonflyoss/dragonfly: GHSA-mcvp-rpgg-9273 #3974
Description
Advisory GHSA-mcvp-rpgg-9273 references a vulnerability in the following Go modules:
| Module |
|---|
| d7y.io/dragonfly/v2 |
| github.com/dragonflyoss/dragonfly |
Description:
Impact
The code in the scheduler for downloading a tiny file is hard coded to use the HTTP protocol, rather than HTTPS. This means that an attacker could perform a Man-in-the-Middle attack, changing the network request so that a different piece of data gets downloaded. Due to the use of weak integrity checks (TOB-DF2-15), this modification of the data may go unnoticed.
// DownloadTinyFile downloads tiny file from peer without range.
func (p *Peer) DownloadTinyFile() ([]byte, error) {
ctx, cancel := context.WithTimeout(context.Background(),
downloadTinyFileContextTimeout)
...
References:
- ADVISORY: https://github.com/advisories/GHSA-mcvp-rpgg-9273
- ADVISORY: https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-mcvp-rpgg-9273
- WEB: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
Cross references:
- d7y.io/dragonfly/v2 appears in 1 other report(s):
- data/reports/GO-2024-3136.yaml (https://github.com/golang/vulndb/issues/3136)
See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.id: GO-ID-PENDING
modules:
- module: d7y.io/dragonfly/v2
versions:
- fixed: 2.1.0
vulnerable_at: 2.1.0-rc.0
- module: github.com/dragonflyoss/dragonfly
vulnerable_at: 1.0.6
summary: DragonFly's tiny file download uses hard coded HTTP protocol in d7y.io/dragonfly
cves:
- CVE-2025-59410
ghsas:
- GHSA-mcvp-rpgg-9273
references:
- advisory: GHSA-mcvp-rpgg-9273
- advisory: GHSA-mcvp-rpgg-9273
- web: https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
source:
id: GHSA-mcvp-rpgg-9273
created: 2025-09-17T21:01:22.582699333Z
review_status: UNREVIEWED