Advisory Database
  • Advisories
  • Dependency Scanning
  1. golang
  2. ›
  3. github.com/canonical/lxd
  4. ›
  5. CVE-2025-54289

CVE-2025-54289: Canonical LXD Vulnerable to Privilege Escalation via WebSocket Connection Hijacking in Operations API

October 2, 2025

LXD’s operations API includes secret values necessary for WebSocket connections when retrieving information about running operations. These secret values are used for authentication of WebSocket connections for terminal and console sessions.

Therefore, attackers with only read permissions can use secret values obtained from the operations API to hijack terminal or console sessions opened by other users. Through this hijacking, attackers can execute arbitrary commands inside instances with the victim’s privileges.

References

  • github.com/advisories/GHSA-3g72-chj4-2228
  • github.com/canonical/lxd
  • github.com/canonical/lxd/security/advisories/GHSA-3g72-chj4-2228
  • nvd.nist.gov/vuln/detail/CVE-2025-54289

Code Behaviors & Features

Detect and mitigate CVE-2025-54289 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 4.0 before 5.21.4, all versions starting from 6.0 before 6.5

Fixed versions

  • 5.21.4
  • 6.5

Solution

Upgrade to versions 5.21.4, 6.5 or above.

Impact 6.8 MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Learn more about CVSS

Weakness

  • CWE-1385: Missing Origin Validation in WebSockets

Source file

go/github.com/canonical/lxd/CVE-2025-54289.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Tue, 07 Oct 2025 00:18:33 +0000.