CVE-2025-54290

CWE-200 — Information Exposure7 documents5 sources

Severity

6.9MEDIUM

EPSS

0.1%

top 74.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Canonical LXD Github.com Canonical/lxd

Timeline

PublishedOct 2

Latest updateNov 5

Description

Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

▶CVEListV5canonical/lxd6.0 — 6.5+1

▶NVDcanonical/lxd4.0.0 — 5.21.4+1

▶Gogithub.com/canonical/lxd4.0 — 5.21.4+2

▶Debianincus< 6.0.4-2+deb13u1+1

🔴Vulnerability Details

OSV

Canonical LXD Project Existence Determination Through Error Handling in Image Export Function in github.com/canonical/lxd↗2025-11-05

▶

OSV

CVE-2025-54290: Information disclosure in image export API in Canonical LXD before 6↗2025-10-02

▶

CVEList

Project Existence Disclosure via Error Handling in LXD Image Export↗2025-10-02

▶

OSV

Canonical LXD Project Existence Determination Through Error Handling in Image Export Function↗2025-10-02

▶

GHSA

Canonical LXD Project Existence Determination Through Error Handling in Image Export Function↗2025-10-02

▶

📋Vendor Advisories

Debian

CVE-2025-54290: incus - Information disclosure in image export API in Canonical LXD before 6.5 and 5.21....↗2025

▶