Information disclosure in Canonical Lxd

CVE-2025-54290

Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.

Vulnerability class: Information Disclosure

EPSS: 0.001 (30.4th percentile) — read the EPSS interpretation.

Affected products

Canonical Lxd — versions 6.0, 5.21

Weakness classification (CWE)

CWE-200 — Information Disclosure

References

github.com/canonical/lxd/security/advisories/GHSA-p3x5-mvmp-5f35