CVE-2025-59354

CVE-2025-59354 is a medium-severity security vulnerability in github.com/dragonflyoss/dragonfly (go), affecting versions < 2.1.0. It is fixed in 2.1.0.

Summary

Workarounds

There are no effective workarounds, beyond upgrading.

References

A third party security audit was performed by Trail of Bits, you can see the full report.

If you have any questions or comments about this advisory, please email us at [email protected].

Impact

The DragonFly2 uses a variety of hash functions, including the MD5 hash. This algorithm does not provide collision resistance; it is secure only against preimage attacks. While these security guarantees may be enough for the DragonFly2 system, it is not completely clear if there are any scenarios where lack of the collision resistance would compromise the system. There are no clear benefits to keeping the MD5 hash function in the system.

var pieceDigests []string
for i := int32(0); i < t.TotalPieces; i++ {
       pieceDigests = append(pieceDigests, t.Pieces[i].Md5)
}
digest := digest.SHA256FromStrings(pieceDigests...)
if digest != t.PieceMd5Sign {
       t.Errorf("invalid digest, desired: %s, actual: %s", t.PieceMd5Sign, digest)
       t.invalid.Store(true)
       return ErrInvalidDigest
}

Alice, a peer in the DragonFly2 system, creates two images: an innocent one, and one with malicious code. Both images consist of two pieces, and Alice generates the pieces so that their respective MD5 hashes collide (are the same). Therefore, the PieceMd5Sign metadata of both images are equal. Alice shares the innocent image with other peers, who attest to their validity (i.e., that it works as expected and is not malicious). Bob wants to download the image and requests it from the peer-to-peer network. After downloading the image, Bob checks its integrity with a SHA256 hash that is known to him. Alice, who is participating in the network, had already provided Bob the other image, the malicious one. Bob unintentionally uses the malicious image.

Affected versions

github.com/dragonflyoss/dragonfly (< 2.1.0) d7y.io/dragonfly/v2 (< 2.1.0)

Security releases

github.com/dragonflyoss/dragonfly → 2.1.0 (go) d7y.io/dragonfly/v2 → 2.1.0 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

  • Dragonfy v2.1.0 and above.

Frequently Asked Questions

  1. What is CVE-2025-59354? CVE-2025-59354 is a medium-severity security vulnerability in github.com/dragonflyoss/dragonfly (go), affecting versions < 2.1.0. It is fixed in 2.1.0.
  2. Which packages are affected by CVE-2025-59354?
    • github.com/dragonflyoss/dragonfly (go) (versions < 2.1.0)
    • d7y.io/dragonfly/v2 (go) (versions < 2.1.0)
  3. Is there a fix for CVE-2025-59354? Yes. CVE-2025-59354 is fixed in 2.1.0. Upgrade to this version or later.
  4. Is CVE-2025-59354 exploitable, and should I be worried? Whether CVE-2025-59354 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2025-59354 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2025-59354?
    • Upgrade github.com/dragonflyoss/dragonfly to 2.1.0 or later
    • Upgrade d7y.io/dragonfly/v2 to 2.1.0 or later

Other vulnerabilities in github.com/dragonflyoss/dragonfly

Other vulnerabilities in github.com/dragonflyoss/dragonfly

Stop the waste.
Protect your environment with Kodem.