CVE-2025-0928

CWE-285 CWE-434 — Unrestricted File Upload5 documents4 sources

Severity

8.8HIGH

EPSS

0.9%

top 24.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Canonical Juju Github.com Juju/juju

Timeline

PublishedJul 8

Latest updateJul 28

Description

In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned binaries to new or upgraded machines, potentially resulting in remote code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5canonical/juju2.0.0 — 2.9.52+1

▶NVDcanonical/juju3.0 — 3.6.8+1

▶Gogithub.com/juju/juju< 0.0.0-20250619215741-4034aa13c7cf

🔴Vulnerability Details

OSV

Juju allows arbitrary executable uploads via authenticated endpoint without authorization in github.com/juju/juju↗2025-07-28

▶

OSV

Juju allows arbitrary executable uploads via authenticated endpoint without authorization↗2025-07-09

▶

GHSA

Juju allows arbitrary executable uploads via authenticated endpoint without authorization↗2025-07-09

▶

CVEList

Arbitrary executable upload via authenticated endpoint↗2025-07-08

▶