CVE-2025-54287

CWE-13367 documents5 sources
Severity
7.1HIGH
EPSS
0.1%
top 80.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Canonical LXDGithub.com Lxc/lxd
Timeline
PublishedOct 2
Latest updateNov 5

Description

Template Injection in instance snapshot creation component in Canonical LXD (>= 4.0) allows an attacker with instance configuration permissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pongo2 template engine.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages5 packages

CVEListV5canonical/lxd6.06.5+1
NVDcanonical/lxd4.0.05.21.4+1
Gogithub.com/lxc/lxd4.0.05.21.4+2
Debianlxd< 5.0.2-5+deb12u1+1
Debianincus< 6.0.4-2+deb13u1+1

🔴Vulnerability Details

5
OSV
Canonical LXD Arbitrary File Read via Template Injection in Snapshot Patterns in github.com/lxc/lxd2025-11-05
CVEList
Arbitrary File Read via Template Injection in Snapshot Patterns2025-10-02
OSV
Canonical LXD Arbitrary File Read via Template Injection in Snapshot Patterns2025-10-02
GHSA
Canonical LXD Arbitrary File Read via Template Injection in Snapshot Patterns2025-10-02
OSV
CVE-2025-54287: Template Injection in instance snapshot creation component in Canonical LXD (>= 42025-10-02

📋Vendor Advisories

1
Debian
CVE-2025-54287: incus - Template Injection in instance snapshot creation component in Canonical LXD (>= ...2025
CVE-2025-54287 (HIGH CVSS 7.1) | Template Injection in instance snap | cvebase.io