Information disclosure in Canonical Lxd

CVE-2025-54291

Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.

EPSS: 0.001 (28.8th percentile) — read the EPSS interpretation.

Affected products

Canonical Lxd — versions 6.0, 5.21

Weakness classification (CWE)

CWE-209 — Generation of Error Message Containing Sensitive Information

References

github.com/canonical/lxd/security/advisories/GHSA-xch9-h8qw-85c7