CVE-2025-54286
📋 TL;DR
This CSRF vulnerability in LXD-UI allows attackers to create and start container instances without user consent by tricking authenticated users into submitting malicious HTML forms. It affects Canonical LXD installations with client certificate authentication enabled. Users running LXD versions 5.0 and above on Linux are vulnerable.
💻 Affected Systems
- Canonical LXD
📦 What is this software?
Lxd by Canonical
Lxd by Canonical
Lxd by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Attackers could create and launch malicious containers with elevated privileges, potentially gaining persistent access to the host system, exfiltrating data, or launching further attacks within the network.
Likely Case
Unauthorized container creation leading to resource consumption, potential data exposure from misconfigured containers, and lateral movement opportunities within the infrastructure.
If Mitigated
Limited impact with proper CSRF protections and network segmentation, though unauthorized container creation could still occur if user is tricked into visiting malicious sites.
🎯 Exploit Status
Exploitation requires the victim to be authenticated via client certificates and visit a malicious website while authenticated. The attack uses standard CSRF techniques with crafted HTML forms.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched versions
Vendor Advisory: https://github.com/canonical/lxd/security/advisories/GHSA-p8hw-rfjg-689h
Restart Required: Yes
Instructions:
1. Update LXD to the latest patched version. 2. Restart LXD service. 3. Verify the fix by checking version and testing CSRF protections.
🔧 Temporary Workarounds
Disable Client Certificate Authentication
linuxTemporarily disable client certificate authentication until patching is possible
# Edit LXD configuration to remove client certificate auth
# Restart LXD service: sudo systemctl restart lxd
Network Segmentation
linuxRestrict access to LXD-UI to trusted networks only
# Configure firewall rules to limit LXD-UI access
# Example: sudo ufw deny from any to port 8443
🧯 If You Can't Patch
- Implement strict SameSite cookie policies and CSRF tokens in web applications that interact with LXD
- Use browser extensions that block cross-site requests or implement additional authentication steps for container operations
🔍 How to Verify
Check if Vulnerable:
Check LXD version and configuration for client certificate authentication: lxd --version and review LXD configuration filesCheck Version:
lxd --versionVerify Fix Applied:
Verify LXD version is updated beyond vulnerable versions and test CSRF protections by attempting to submit cross-origin requests to LXD-UI endpoints📡 Detection & Monitoring
Log Indicators:
- Unexpected container creation events in LXD logs
- Authentication attempts from unusual sources
- Multiple container creation requests in short timeframes
Network Indicators:
- HTTP POST requests to LXD-UI container creation endpoints from external domains
- Cross-origin requests to LXD API endpoints
SIEM Query:
source="lxd" AND (event="container_create" OR event="container_start") AND user_agent CONTAINS "Mozilla"