Advisory Database
  • Advisories
  • Dependency Scanning
  1. golang
  2. ›
  3. github.com/canonical/lxd
  4. ›
  5. CVE-2025-54290

CVE-2025-54290: Canonical LXD Project Existence Determination Through Error Handling in Image Export Function

October 2, 2025

In LXD’s images export API (/1.0/images/{fingerprint}/export), implementation differences in error handling allow determining project existence without authentication.

Specifically, in the following code, errors when multiple images match are directly returned to users as API responses:

https://github.com/canonical/lxd/blob/43d5189564d27f6161b430ed258c8b56603c2759/lxd/db/images.go#L239-L246

While fingerprints generally don’t duplicate, this functionality uses fingerprints with LIKE clauses, allowing prefix specification. Therefore, using LIKE wildcards such as % will match multiple images if multiple images exist in the project.

https://github.com/canonical/lxd/blob/43d5189564d27f6161b430ed258c8b56603c2759/lxd/db/images.go#L277-L286

In the above implementation, multiple matches result in a 500 error, but if the project itself doesn’t exist, there are 0 matches and a 404 is returned.

  1. When project exists and multiple images match: HTTP 500 error “More than one image matches”
  2. When project doesn’t exist: HTTP 404 error “not found”

This behavioural difference allows attackers to confirm project existence without authentication.

References

  • github.com/advisories/GHSA-p3x5-mvmp-5f35
  • github.com/canonical/lxd
  • github.com/canonical/lxd/security/advisories/GHSA-p3x5-mvmp-5f35
  • nvd.nist.gov/vuln/detail/CVE-2025-54290

Code Behaviors & Features

Detect and mitigate CVE-2025-54290 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 4.0 before 5.21.4, all versions starting from 6.0 before 6.5

Fixed versions

  • 5.21.4
  • 6.5

Solution

Upgrade to versions 5.21.4, 6.5 or above.

Weakness

  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Source file

go/github.com/canonical/lxd/CVE-2025-54290.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Tue, 07 Oct 2025 00:18:17 +0000.