CVE-2025-54291
Canonical LXD Project Existence Determination Through Error Handling in Image Get Function in github.com/canonical/lxd
5.3
MEDIUM
CVSS 3.1
EPSS 0.11%
Description
Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.
How to fix CVE-2025-54291
To remediate CVE-2025-54291, upgrade the affected package to a fixed version below.
- —upgrade to 6.0.4-2+deb13u1 or later
- —no fix listed
- —upgrade to 5.21.4 or later
- —upgrade to 0.0.0-20250827065555-0494f5d47e41 or later
Is CVE-2025-54291 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 6.0.4-2+deb13u1
- from 0
- >= 4.0, < 5.21.4
- >= 0.0.0-20200331193331-03aab09f5b5c, < 0.0.0-20250827065555-0494f5d47e41
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |