Project Existence Disclosure via Error Handling in LXD Image Export

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.

Basic Information

ID CVE-2025-54290

Source canonical

Published Oct 2, 2025 at 09:24

Affected Product

Vendor Canonical

Product LXD

Version 6.0

Affected Versions Canonical LXD 6.0
Canonical LXD 5.21

CWE Classification

CWE-200

References

github.com /canonical/lxd/security/advisories/GHSA-p3x5-mvmp-5f35

{
    "lastseen": "",
    "description": "Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.",
    "published": "2025-10-02T09:24:12.894Z",
    "modified": "2025-10-02T09:24:12.894Z",
    "type": "cve",
    "title": "Project Existence Disclosure via Error Handling in LXD Image Export",
    "source": "canonical",
    "references": "https://github.com/canonical/lxd/security/advisories/GHSA-p3x5-mvmp-5f35",
    "id": "CVE-2025-54290",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "Canonical LXD 6.0\nCanonical LXD 5.21",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "LXD",
    "version": "6.0",
    "vendor": "Canonical",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Project Existence Disclosure via Error Handling in LXD Image Export_CVE-2025-54290