CVE-2025-54290

Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.

References

https://github.com/canonical/lxd/security/advisories/GHSA-p3x5-mvmp-5f35

Affected packages

Git / github.com/canonical/lxd

Affected ranges

Type

GIT

Repo

https://github.com/canonical/lxd

Events

Introduced

03aab09f5b5cbdada00c6539877dcf5932fcde98

Fixed

0494f5d47e41af69a8374568c0cb8b3eefd72a6a

Introduced

5a492a3f0036c44d22c344505952e06ce517993a

Fixed

fec3cc832ca782d398c82d38f8532ef9d5be2e00

Database specific

{
    "versions": [
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "5.21.4"
        },
        {
            "introduced": "6.1"
        },
        {
            "fixed": "6.5"
        }
    ]
}

Affected versions

lxd-4.*

lxd-4.0.0

lxd-4.1

lxd-4.10

lxd-4.11

lxd-4.12

lxd-4.13

lxd-4.14

lxd-4.15

lxd-4.16

lxd-4.17

lxd-4.18

lxd-4.19

lxd-4.2

lxd-4.20

lxd-4.21

lxd-4.22

lxd-4.23

lxd-4.24

lxd-4.3

lxd-4.4

lxd-4.5

lxd-4.6

lxd-4.7

lxd-4.8

lxd-4.9

lxd-5.*

lxd-5.0.0

lxd-5.1

lxd-5.10

lxd-5.11

lxd-5.12

lxd-5.13

lxd-5.14

lxd-5.15

lxd-5.16

lxd-5.17

lxd-5.18

lxd-5.19

lxd-5.2

lxd-5.20

lxd-5.21.0

lxd-5.21.1

lxd-5.21.2

lxd-5.21.3

lxd-5.3

lxd-5.4

lxd-5.5

lxd-5.6

lxd-5.7

lxd-5.8

lxd-5.9

lxd-6.*

lxd-6.1

lxd-6.2

lxd-6.3

lxd-6.4

v5.*

v5.21.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-54290.json"