CVE-2025-54290: Canonical LXD Project Existence Determination Through Error Handling in Image Export Function
In LXD’s images export API (/1.0/images/{fingerprint}/export
), implementation differences in error handling allow determining project existence without authentication.
Specifically, in the following code, errors when multiple images match are directly returned to users as API responses:
While fingerprints generally don’t duplicate, this functionality uses fingerprints with LIKE clauses, allowing prefix specification. Therefore, using LIKE wildcards such as % will match multiple images if multiple images exist in the project.
In the above implementation, multiple matches result in a 500 error, but if the project itself doesn’t exist, there are 0 matches and a 404 is returned.
- When project exists and multiple images match: HTTP 500 error “More than one image matches”
- When project doesn’t exist: HTTP 404 error “not found”
This behavioural difference allows attackers to confirm project existence without authentication.
References
Code Behaviors & Features
Detect and mitigate CVE-2025-54290 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →