CVE-2025-54293

Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links.

References

https://github.com/canonical/lxd/security/advisories/GHSA-472f-vmf2-pr3h

Affected packages

Git / github.com/canonical/lxd

Affected ranges

Type

GIT

Repo

https://github.com/canonical/lxd

Events

Introduced

03aab09f5b5cbdada00c6539877dcf5932fcde98

Fixed

0494f5d47e41af69a8374568c0cb8b3eefd72a6a

Introduced

Fixed

fec3cc832ca782d398c82d38f8532ef9d5be2e00

Database specific

{
    "versions": [
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "5.21.4"
        },
        {
            "introduced": "6.0"
        },
        {
            "fixed": "6.5"
        }
    ]
}

Affected versions

lxd-4.*

lxd-4.0.0

lxd-4.1

lxd-4.10

lxd-4.11

lxd-4.12

lxd-4.13

lxd-4.14

lxd-4.15

lxd-4.16

lxd-4.17

lxd-4.18

lxd-4.19

lxd-4.2

lxd-4.20

lxd-4.21

lxd-4.22

lxd-4.23

lxd-4.24

lxd-4.3

lxd-4.4

lxd-4.5

lxd-4.6

lxd-4.7

lxd-4.8

lxd-4.9

lxd-5.*

lxd-5.0.0

lxd-5.1

lxd-5.10

lxd-5.11

lxd-5.12

lxd-5.13

lxd-5.14

lxd-5.15

lxd-5.16

lxd-5.17

lxd-5.18

lxd-5.19

lxd-5.2

lxd-5.20

lxd-5.21.0

lxd-5.21.1

lxd-5.21.2

lxd-5.21.3

lxd-5.3

lxd-5.4

lxd-5.5

lxd-5.6

lxd-5.7

lxd-5.8

lxd-5.9

lxd-6.*

lxd-6.1

lxd-6.2

lxd-6.3

lxd-6.4

v5.*

v5.21.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-54293.json"