CVE-2025-54289: Canonical LXD Vulnerable to Privilege Escalation via WebSocket Connection Hijacking in Operations API

October 2, 2025

LXD’s operations API includes secret values necessary for WebSocket connections when retrieving information about running operations. These secret values are used for authentication of WebSocket connections for terminal and console sessions.

Therefore, attackers with only read permissions can use secret values obtained from the operations API to hijack terminal or console sessions opened by other users. Through this hijacking, attackers can execute arbitrary commands inside instances with the victim’s privileges.

References

github.com/advisories/GHSA-3g72-chj4-2228
github.com/canonical/lxd
github.com/canonical/lxd/security/advisories/GHSA-3g72-chj4-2228
nvd.nist.gov/vuln/detail/CVE-2025-54289

Code Behaviors & Features

Detect and mitigate CVE-2025-54289 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →