CVE-2025-54288

Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed process names in the command line.

References

https://github.com/canonical/lxd/security/advisories/GHSA-7232-97c6-j525

Affected packages

Git / github.com/canonical/lxd

Affected ranges

Type

GIT

Repo

https://github.com/canonical/lxd

Events

Introduced

03aab09f5b5cbdada00c6539877dcf5932fcde98

Fixed

0494f5d47e41af69a8374568c0cb8b3eefd72a6a

Introduced

5a492a3f0036c44d22c344505952e06ce517993a

Fixed

fec3cc832ca782d398c82d38f8532ef9d5be2e00

Database specific

{
    "versions": [
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "5.21.4"
        },
        {
            "introduced": "6.1"
        },
        {
            "fixed": "6.5"
        }
    ]
}

Affected versions

lxd-4.*

lxd-4.0.0

lxd-4.1

lxd-4.10

lxd-4.11

lxd-4.12

lxd-4.13

lxd-4.14

lxd-4.15

lxd-4.16

lxd-4.17

lxd-4.18

lxd-4.19

lxd-4.2

lxd-4.20

lxd-4.21

lxd-4.22

lxd-4.23

lxd-4.24

lxd-4.3

lxd-4.4

lxd-4.5

lxd-4.6

lxd-4.7

lxd-4.8

lxd-4.9

lxd-5.*

lxd-5.0.0

lxd-5.1

lxd-5.10

lxd-5.11

lxd-5.12

lxd-5.13

lxd-5.14

lxd-5.15

lxd-5.16

lxd-5.17

lxd-5.18

lxd-5.19

lxd-5.2

lxd-5.20

lxd-5.21.0

lxd-5.21.1

lxd-5.21.2

lxd-5.21.3

lxd-5.3

lxd-5.4

lxd-5.5

lxd-5.6

lxd-5.7

lxd-5.8

lxd-5.9

lxd-6.*

lxd-6.1

lxd-6.2

lxd-6.3

lxd-6.4

v5.*

v5.21.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-54288.json"