Primary

Context

Dragonfly HTTP Protocol Vulnerability in Tiny File Download Scheduler Allows Man-in-the-Middle Attacks

Vulnerability

Patched

A vulnerability exists in Dragonfly versions prior to 2.1.0, where the scheduler for downloading small files is hard coded to use the HTTP protocol instead of HTTPS. This flaw enables attackers to conduct Man-in-the-Middle attacks, intercepting and altering network requests to download different data. The issue is exacerbated by weak integrity checks, potentially allowing undetected modifications of the downloaded files.

Impact

Exploitation of this vulnerability could lead to unauthorized interception and alteration of data being downloaded, allowing malicious files to replace legitimate ones without detection.

Remediation

Users can upgrade to Dragonfly version 2.1.0 or later to address this vulnerability.

Added: Sep 17, 2025, 8:18 PM

Updated: Sep 17, 2025, 8:18 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

2.5

exploitability

5.4

remediation

7.7

relevance

0.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

2.5

exploitability

5.4

remediation

7.7

relevance

0.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Dragonfly HTTP Protocol Vulnerability in Tiny File Download Scheduler Allows Man-in-the-Middle Attacks

Vulnerability

Impact

Remediation

Affected Products

Dragonfly

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating