CVE-2025-54289: Canonical LXD Vulnerable to Privilege Escalation via WebSocket Connection Hijacking in Operations API
LXD’s operations API includes secret values necessary for WebSocket connections when retrieving information about running operations. These secret values are used for authentication of WebSocket connections for terminal and console sessions.
Therefore, attackers with only read permissions can use secret values obtained from the operations API to hijack terminal or console sessions opened by other users. Through this hijacking, attackers can execute arbitrary commands inside instances with the victim’s privileges.
References
Code Behaviors & Features
Detect and mitigate CVE-2025-54289 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →