CVE-2025-54290

MEDIUM5.3EPSS 0.12%

Canonical LXD Project Existence Determination Through Error Handling in Image Export Function in github.com/canonical/lxd

Published: 10/2/2025Modified: 4/28/2026

Description

Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.

Affected packages (4)

Debian/incusfrom 0, < 6.0.4-2+deb13u1
Debian/lxdfrom 0
Go/github.com/canonical/lxd>= 4.0, < 5.21.4
Go/github.com/canonical/lxd>= 0.0.0-20200331193331-03aab09f5b5c, < 0.0.0-20250827065555-0494f5d47e41

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-54290
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-54290
PATCHhttps://github.com/canonical/lxd
WEBhttps://github.com/canonical/lxd/security/advisories/GHSA-p3x5-mvmp-5f35
WEBhttps://pkg.go.dev/vuln/GO-2025-4002