CVE-2025-0928: Juju allows arbitrary executable uploads via authenticated endpoint without authorization
(updated )
You can affect the agent binaries used in a Juju controller and the code that is run in the binaries by simply having a user account on a controller. You aren’t required to have a model or any permissions. This just requires a user account in the controller database.
References
- github.com/advisories/GHSA-4vc8-wvhw-m5gv
- github.com/juju/juju
- github.com/juju/juju/commit/22cdcf6b54c2f371822e1c203d4f341be6c9589e
- github.com/juju/juju/commit/311e374cb8d2431032c51fb3fb5c4b0aaaa7196c
- github.com/juju/juju/commit/4034aa13c7cf5a37427fcd032925d5d21955b096
- github.com/juju/juju/commit/b4176e6e45c2c3c817ab60b39e2d52f9a11a5ddf
- github.com/juju/juju/security/advisories/GHSA-4vc8-wvhw-m5gv
- nvd.nist.gov/vuln/detail/CVE-2025-0928
- pkg.go.dev/vuln/GO-2025-3805
Code Behaviors & Features
Detect and mitigate CVE-2025-0928 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →