CVE-2025-54291

MEDIUM5.3EPSS 0.11%

Canonical LXD Project Existence Determination Through Error Handling in Image Get Function in github.com/canonical/lxd

Published: 10/2/2025Modified: 4/28/2026

Description

Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.

Affected packages (4)

Debian/incusfrom 0, < 6.0.4-2+deb13u1
Debian/lxdfrom 0
Go/github.com/canonical/lxd>= 4.0, < 5.21.4
Go/github.com/canonical/lxd>= 0.0.0-20200331193331-03aab09f5b5c, < 0.0.0-20250827065555-0494f5d47e41

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-54291
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-54291
PATCHhttps://github.com/canonical/lxd
WEBhttps://github.com/canonical/lxd/security/advisories/GHSA-xch9-h8qw-85c7
WEBhttps://pkg.go.dev/vuln/GO-2025-4005