CVE-2025-54290
📋 TL;DR
This vulnerability allows unauthenticated network attackers to determine whether specific LXD projects exist by sending crafted requests with wildcard fingerprints to the image export API. It affects Canonical LXD installations on Linux where the API is exposed to untrusted networks. The information disclosure could help attackers map internal project structures.
💻 Affected Systems
- Canonical LXD
📦 What is this software?
Lxd by Canonical
Lxd by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Attackers could enumerate all projects in an LXD deployment, potentially identifying sensitive projects and preparing for targeted attacks against specific project resources.
Likely Case
Attackers discover project names and existence, which could be used for reconnaissance and planning further attacks against identified projects.
If Mitigated
With proper network segmentation and authentication requirements, the impact is limited to information disclosure about project naming conventions.
🎯 Exploit Status
The advisory describes the vulnerability clearly, making exploitation straightforward for attackers with network access to the API.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: LXD 6.5 or 5.21.4
Vendor Advisory: https://github.com/canonical/lxd/security/advisories/GHSA-p3x5-mvmp-5f35
Restart Required: Yes
Instructions:
1. Update LXD to version 6.5 or 5.21.4 using your distribution's package manager. 2. Restart the LXD service. 3. Verify the version is updated.
🔧 Temporary Workarounds
Restrict API Network Access
linuxConfigure LXD to only listen on local Unix socket or restrict network access to trusted IPs
lxc config set core.https_address [::1]:8443
lxc config set core.https_address 127.0.0.1:8443
Enable Authentication Requirements
linuxEnsure all API endpoints require proper authentication
lxc config set core.trust_password your_secure_password
🧯 If You Can't Patch
- Implement strict network firewall rules to only allow trusted sources to access the LXD API port (default 8443)
- Monitor API logs for unusual access patterns or enumeration attempts
🔍 How to Verify
Check if Vulnerable:
Check if LXD version is below 6.5 or 5.21.4 and if the API is accessible from untrusted networksCheck Version:
lxc --versionVerify Fix Applied:
Confirm LXD version is 6.5 or 5.21.4 or higher, and test that wildcard fingerprint requests no longer reveal project existence📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts with wildcard patterns
- Unusual access patterns to image export API endpoints
Network Indicators:
- Unusual traffic to LXD API port (default 8443) from untrusted sources
- Patterns of requests with wildcard characters in parameters
SIEM Query:
source="lxd" AND ("wildcard" OR "*" OR "%" OR "?") AND ("image" OR "export" OR "fingerprint")