CVE-2025-54291 – This vulnerability allows unauthenticated remot... (How to Fix)

Q: What is the severity of CVE-2025-54291?

CVE-2025-54291 has a CVSS score of 5.3 (MEDIUM). This vulnerability allows unauthenticated remote attackers to determine whether specific projects exist in Canonical LXD by observing different HTTP status code responses from the images API. This affects all platforms running LXD versions before 6.5 and 5.21.4.

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to determine whether specific projects exist in Canonical LXD by observing different HTTP status code responses from the images API. This affects all platforms running LXD versions before 6.5 and 5.21.4.

💻 Affected Systems

Products:

Canonical LXD

Versions: All versions before 6.5 and 5.21.4

Operating Systems: All platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all LXD deployments with the images API accessible.

📦 What is this software?

Lxd by Canonical

View all CVEs affecting Lxd →

Lxd by Canonical

View all CVEs affecting Lxd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could map all projects in an LXD deployment, potentially identifying sensitive or restricted projects for targeted attacks.

🟠

Likely Case

Information leakage about project structure and existence, enabling reconnaissance for further attacks.

🟢

If Mitigated

Limited to project enumeration without access to actual project data or images.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request/response timing attack requiring no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: LXD 6.5 or 5.21.4

Vendor Advisory: https://github.com/canonical/lxd/security/advisories/GHSA-xch9-h8qw-85c7

Restart Required: Yes

Instructions:

1. Update LXD to version 6.5 or 5.21.4 using your package manager. 2. Restart the LXD service. 3. Verify the update was successful.

🔧 Temporary Workarounds

Restrict API Access

all

Limit network access to the LXD API to trusted networks only.

Configure firewall rules to restrict access to LXD API port (default 8443)

Disable Images API

linux

Temporarily disable the images API if not required.

Modify LXD configuration to disable images API endpoints

🧯 If You Can't Patch

Implement network segmentation to isolate LXD instances from untrusted networks.
Monitor for unusual HTTP request patterns to images API endpoints.

🔍 How to Verify

Check if Vulnerable:

Check LXD version with 'lxd --version' or 'snap info lxd' if installed via snap.

Check Version:

lxd --version

Verify Fix Applied:

Confirm version is 6.5 or higher, or 5.21.4 or higher.

📡 Detection & Monitoring

Log Indicators:

Multiple HTTP 404 vs 403 responses for images API requests from single IPs
Unusual request patterns to /1.0/images endpoints

Network Indicators:

Repeated HTTP requests to LXD API images endpoints from external IPs
Patterns of requests with different project names

SIEM Query:

source="lxd" AND (uri_path="/1.0/images" OR uri_path="/1.0/images/*") AND (status=404 OR status=403) | stats count by src_ip

📊 Metadata

CVE ID: CVE-2025-54291

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-209

EPSS Score: 0.1% exploit probability (26.9th percentile)

Published: October 2, 2025

Last Updated: October 24, 2025

🔗 References

https://github.com/canonical/lxd/security/advisories/GHSA-xch9-h8qw-85c7 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54291, you might also want to check these: