CVE-2025-54288
Canonical LXD Source Container Identification Vulnerability via cmdline Spoofing in devLXD Server in github.com/canonical/lxd
4.1
MEDIUM
CVSS 3.1
EPSS 0.06%
Description
Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed process names in the command line.
How to fix CVE-2025-54288
To remediate CVE-2025-54288, upgrade the affected package to a fixed version below.
- —upgrade to 6.0.4-2+deb13u1 or later
- —upgrade to 5.0.2-5+deb12u1 or later
- —upgrade to 5.21.4 or later
- —upgrade to 0.0.0-20250827065555-0494f5d47e41 or later
Is CVE-2025-54288 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 6.0.4-2+deb13u1
- from 0, < 5.0.2-5+deb12u1
- >= 4.0, < 5.21.4
- >= 0.0.0-20200331193331-03aab09f5b5c, < 0.0.0-20250827065555-0494f5d47e41
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM4.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N |