CVE-2025-54290
published 2025-10-02CVE-2025-54290: Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without…
medium6.9CVSS 4.0
AVNACLATNPRNUINVCLVINVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | lxd | >= 4.0.0 < 5.21.4 | 5.21.4 |
| canonical | lxd | >= 5.21 < 5.21.4 | 5.21.4 |
| canonical | lxd | >= 6.0 < 6.5 | 6.5 |
| canonical | lxd | >= 6.1 < 6.5 | 6.5 |
| debian | incus | < incus 6.0.5-1 (forky) | incus 6.0.5-1 (forky) |
| debian | lxd | < incus 6.0.5-1 (forky) | incus 6.0.5-1 (forky) |
| github.com | canonical_lxd | >= 0.0.0-20200331193331-03aab09f5b5c < 0.0.0-20250827065555-0494f5d47e41 | 0.0.0-20250827065555-0494f5d47e41 |
| github.com | canonical_lxd | >= 4.0 < 5.21.4 | 5.21.4 |
| github.com | canonical_lxd | >= 6.0 < 6.5 | 6.5 |
CVSS provenance
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv6.9MEDIUM