CVE-2025-54287: Canonical LXD Arbitrary File Read via Template Injection in Snapshot Patterns

October 2, 2025

In LXD’s instance snapshot creation functionality, the Pongo2 template engine is used in the snapshots.pattern configuration for generating snapshot names. While code execution functionality has not been found in this template engine, it has file reading capabilities, creating a vulnerability that allows arbitrary file reading through template injection attacks.

References

github.com/advisories/GHSA-w2hg-2v4p-vmh6
github.com/canonical/lxd
github.com/canonical/lxd/security/advisories/GHSA-w2hg-2v4p-vmh6
nvd.nist.gov/vuln/detail/CVE-2025-54287

Code Behaviors & Features

Detect and mitigate CVE-2025-54287 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →