CVE-2025-54290 — Canonical LXD Project Existence Determination Through Error Handling in Image Ex

Description

Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.

How to fix CVE-2025-54290

To remediate CVE-2025-54290, upgrade the affected package to a fixed version below.

—upgrade to 6.0.4-2+deb13u1 or later
—no fix listed
—upgrade to 5.21.4 or later
—upgrade to 0.0.0-20250827065555-0494f5d47e41 or later

Is CVE-2025-54290 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 6.0.4-2+deb13u1
from 0
>= 4.0, < 5.21.4
>= 0.0.0-20200331193331-03aab09f5b5c, < 0.0.0-20250827065555-0494f5d47e41

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-54290
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-54290
PATCHgithub.com/canonical/lxd
WEBgithub.com/canonical/lxd/security/advisories/GHSA-p3x5-mvmp-5f35
WEB