DEBIAN-CVE-2025-54287

Template Injection in instance snapshot creation component in Canonical LXD (>= 4.0) allows an attacker with instance configuration permissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pongo2 template engine.

References

https://security-tracker.debian.org/tracker/CVE-2025-54287

Affected packages

Debian:13 / incus

Package

Name: incus
Purl: pkg:deb/debian/incus?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.0.4-2+deb13u1

Affected versions

6.*

6.0.4-2

6.0.4-2+deb13u1~bpo12+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / incus

Package

Name: incus
Purl: pkg:deb/debian/incus?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.0.5-1

Affected versions

6.*

6.0.4-2

6.0.4-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / lxd

Package

Name: lxd
Purl: pkg:deb/debian/lxd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.0.2-5+deb12u1

Affected versions

5.*

5.0.2-5

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / lxd

Package

Name: lxd
Purl: pkg:deb/debian/lxd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.0.2+git20231211.1364ae4-9+deb13u1

Affected versions

5.*

5.0.2+git20231211.1364ae4-9

Ecosystem specific

{
    "urgency": "not yet assigned"
}