CVE-2025-54291

CWE-2097 documents5 sources

Severity

6.9MEDIUM

EPSS

0.1%

top 74.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Canonical LXD Github.com Canonical/lxd

Timeline

PublishedOct 2

Latest updateNov 5

Description

Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

▶CVEListV5canonical/lxd6.0 — 6.5+1

▶NVDcanonical/lxd4.0.0 — 5.21.4+1

▶Gogithub.com/canonical/lxd4.0 — 5.21.4+2

▶Debianincus< 6.0.4-2+deb13u1+1

🔴Vulnerability Details

OSV

Canonical LXD Project Existence Determination Through Error Handling in Image Get Function in github.com/canonical/lxd↗2025-11-05

▶

OSV

Canonical LXD Project Existence Determination Through Error Handling in Image Get Function↗2025-10-02

▶

CVEList

Project existence disclosure in LXD images API↗2025-10-02

▶

OSV

CVE-2025-54291: Information disclosure in images API in Canonical LXD before 6↗2025-10-02

▶

GHSA

Canonical LXD Project Existence Determination Through Error Handling in Image Get Function↗2025-10-02

▶

📋Vendor Advisories

Debian

CVE-2025-54291: incus - Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on a...↗2025

▶