CVE-2025-54291
published 2025-10-02CVE-2025-54291: Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project…
medium6.9CVSS 4.0
AVNACLATNPRNUINVCLVINVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | lxd | >= 4.0.0 < 5.21.4 | 5.21.4 |
| canonical | lxd | >= 5.21 < 5.21.4 | 5.21.4 |
| canonical | lxd | >= 6.0 < 6.5 | 6.5 |
| canonical | lxd | >= 6.1 < 6.5 | 6.5 |
| debian | incus | < incus 6.0.5-1 (forky) | incus 6.0.5-1 (forky) |
| debian | lxd | < incus 6.0.5-1 (forky) | incus 6.0.5-1 (forky) |
| github.com | canonical_lxd | >= 0.0.0-20200331193331-03aab09f5b5c < 0.0.0-20250827065555-0494f5d47e41 | 0.0.0-20250827065555-0494f5d47e41 |
| github.com | canonical_lxd | >= 4.0 < 5.21.4 | 5.21.4 |
| github.com | canonical_lxd | >= 6.0 < 6.5 | 6.5 |
CVSS provenance
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv6.9MEDIUM