CVE-2025-59354: 
vulnerability analysis and mitigation

Dragonfly, an open source P2P-based file distribution and image acceleration system, was found to have a security vulnerability in versions prior to 2.1.0. The vulnerability (CVE-2025-59354) involves the DragonFly2 system's use of various hash functions, including MD5, for downloaded files. The issue was discovered and disclosed on September 17, 2025, affecting all versions of the software before version 2.1.0 (NVD).

The vulnerability stems from the use of MD5 hash function, which does not provide collision resistance and is only secure against preimage attacks. The system uses these hash functions to verify the integrity of downloaded files. The vulnerability has been assigned a CVSS v4.0 score of 5.5 (Medium) with a vector string of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P, and a CVSS v3.1 base score of 5.3 (Medium) (NVD, GitHub Advisory).

The vulnerability allows attackers to replace legitimate files with malicious ones that have a colliding hash. In a practical attack scenario, an attacker could create two images - one innocent and one malicious - with colliding MD5 hashes for their respective pieces. When users attempt to download the innocent image, they might unknowingly receive and execute the malicious version instead (GitHub Advisory).

The vulnerability has been fixed in Dragonfly version 2.1.0. There are no effective workarounds besides upgrading to the patched version. Users are strongly encouraged to upgrade to version 2.1.0 or later to address this security issue (GitHub Advisory).