CVE-2025-54286: Canonical LXD CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI
OIDC authentication uses cookies with the SameSite=Strict attribute, preventing cookies from being sent with requests from other sites. Therefore, CSRF does not occur as long as web services in a Same Site relationship (same eTLD+1) with the origin running LXD-UI are trusted.
However, since the SameSite concept does not apply to client certificates, CSRF protection that doesn’t rely on the SameSite attribute is necessary.
Note that when using cross-origin fetch API, client certificates are not sent in no-cors mode due to CORS restrictions (according to the WHATWG Fetch specification(https://fetch.spec.whatwg.org/#credentials), client certificates are treated as credentials), making cross-site attacks using fetch API difficult unless CORS settings are vulnerable. However, since LXD’s API parses request bodies as JSON even when Content-Type
is text/plain
or application/x-www-form-urlencoded
, CSRF attacks exploiting HTML form submissions are possible.
References
Code Behaviors & Features
Detect and mitigate CVE-2025-54286 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →