CVE-2025-59353: 
vulnerability analysis and mitigation

Dragonfly, an open source P2P-based file distribution and image acceleration system, was found to contain a security vulnerability (CVE-2025-59353) prior to version 2.1.0. The vulnerability was discovered and disclosed on September 17, 2025, affecting all versions of Dragonfly before 2.1.0. The issue allows a peer to obtain valid TLS certificates for arbitrary IP addresses, which effectively renders the mTLS authentication mechanism useless (GitHub Advisory, NVD).

The vulnerability stems from the Manager's Certificate gRPC service failing to validate whether the requested IP addresses belong to the peer requesting the certificate. Specifically, the service does not verify if the peer connects from the same IP address as the one provided in the certificate request. The vulnerability has received a CVSS v3.1 base score of 7.5 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. The issue has been classified under CWE-862 (Missing Authorization) and CWE-295 (Improper Certificate Validation) (NVD).

The vulnerability allows attackers to obtain valid TLS certificates for arbitrary IP addresses, which compromises the mutual TLS (mTLS) authentication system. This could potentially lead to unauthorized access and impersonation attacks within the Dragonfly system (GitHub Advisory).

The vulnerability has been fixed in Dragonfly version 2.1.0. There are no effective workarounds available besides upgrading to the patched version. Users are strongly advised to upgrade to version 2.1.0 or later to address this security issue (GitHub Advisory).