Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.
Advisories
Source ID Title
Debian DSA Debian DSA DSA-6027-1 incus security update
EUVD EUVD EUVD-2025-32094 Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.
Github GHSA Github GHSA GHSA-xch9-h8qw-85c7 Canonical LXD Project Existence Determination Through Error Handling in Image Get Function
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Fri, 24 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:canonical:lxd:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}


Fri, 03 Oct 2025 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Canonical
Canonical lxd
Vendors & Products Canonical
Canonical lxd

Thu, 02 Oct 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Oct 2025 09:30:00 +0000

Type Values Removed Values Added
Description Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.
Title Project existence disclosure in LXD images API
Weaknesses CWE-209
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2025-10-02T17:29:54.196Z

Reserved: 2025-07-18T07:59:07.917Z

Link: CVE-2025-54291

cve-icon Vulnrichment

Updated: 2025-10-02T17:29:46.451Z

cve-icon NVD

Status : Analyzed

Published: 2025-10-02T10:15:39.387

Modified: 2025-10-24T14:11:07.983

Link: CVE-2025-54291

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-10-03T08:22:53Z