CVE-2025-54290: Canonical LXD Project Existence Determination Through Error Handling in Image Export Function
In LXD’s images export API (/1.0/images/{fingerprint}/export), implementation differences in error handling allow determining project existence without authentication.
Specifically, in the following code, errors when multiple images match are directly returned to users as API responses:
While fingerprints generally don’t duplicate, this functionality uses fingerprints with LIKE clauses, allowing prefix specification. Therefore, using LIKE wildcards such as % will match multiple images if multiple images exist in the project.
In the above implementation, multiple matches result in a 500 error, but if the project itself doesn’t exist, there are 0 matches and a 404 is returned.
- When project exists and multiple images match: HTTP 500 error “More than one image matches”
- When project doesn’t exist: HTTP 404 error “not found”
This behavioural difference allows attackers to confirm project existence without authentication.
References
Code Behaviors & Features
Detect and mitigate CVE-2025-54290 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →