5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54291

GHSA ID

GHSA-xch9-h8qw-85c7

EPSS Score

0.35153%

CWE

CWE-209

Published

10/2/2025

Updated

10/2/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54291

CVE-2025-54291: Canonical LXD Project Existence Determination Through Error Handling in Image Get Function

Impact

The LXD /1.0/images endpoint is implemented as an AllowUntrusted API that requires no authentication, making it accessible to users without accounts. This API allows determining project existence through differences in HTTP status codes when accessed with the project parameter.

https://github.com/canonical/lxd/blob/43d5189564d27f6161b430ed258c8b56603c2759/lxd/images.go#L63-L69

This configuration allows access without authentication:

https://github.com/canonical/lxd/blob/43d5189564d27f6161b430ed258c8b56603c2759/lxd/daemon.go#L924-L926

This API returns a 404 error when accessing existing projects and a 403 error when accessing non-existent projects, allowing confirmation of project existence through this difference.

The problematic implementation is shown below.

First, in the error handling implementation of the imagesGet function below, project existence is checked within the projectutils.ImageProject function, and the err returned by the ImageProject function is directly returned to the user.

https://github.com/canonical/lxd/blob/43d5189564d27f6161b430ed258c8b56603c2759/lxd/i mages.go#L1781-L1788

When the project doesn't exist, the error is 404 (http.StatusNotFound), which is returned to the user:

https://github.com/canonical/lxd/blob/43d5189564d27f6161b430ed258c8b56603c2759/lxd/db/cluster/projects.mapper.go#L237-L239

On the other hand, when the project exists but the user lacks viewing permissions, the imagesGet function returns 403 (response.Forbidden):

https://github.com/canonical/lxd/blob/43d5189564d27f6161b430ed258c8b56603c2759/lxd/images.go#L1796-L1799

Reproduction Steps

Send the following request without authentication to a non-existent project:

curl -k "https://lxd-host:8443/1.0/images?project=XXX-project"

Response:

{"type":"error","status":"","status_code":0,"operation":"","error_code":404,"error":"fetch project: Project not found","metadata":null}

Send a request without authentication to an existing project (if a public project exists, it will be included in the response):

curl -k "https://lxd-host:8443/1.0/images?project=exist-project"

Reponse:

{"type":"error","status":"","status_code":0,"operation":"","error_code":403,"error":"Untrusted callers may only access public images in the default project","metadata":null}

Risk

The attack requires only network access to the LXD API endpoint, with no authentication needed.

The attack allows confirming the existence of projects within the LXD system by exploiting differences in HTTP status codes. This could potentially increase the exploitability of othervulnerabilities.

Additionally, since project IDs often use meaningful names set by users, this could lead to leakage of unpublished product information. However, resource information within projects cannot be obtained, limiting the impact to existence confirmation only.

Countermeasures

It is recommended to modify the error handling in the imagesGet function to return consistent responses regardless of project existence. Specifically, when an error occurs during project existence verification, the implementation should be changed to always return a 403 (Untrusted callers may only access public images in the default project) error to unauthenticated users.

This ensures that the same error response is returned for both existing and non-existing projects, preventing determination of project existence.

Patches

| LXD Series | Status | | ------------- | ------------- | | 6 | Fixed in LXD 6.5 | | 5.21 | Fixed in LXD 5.21.4 | | 5.0 | Ignored - Not critical | | 4.0 | Ignored - EOL and not critical |

References

Reported by GMO Flatt Security Inc.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54291

GHSA ID

GHSA-xch9-h8qw-85c7

EPSS Score

0.35153%

CWE

CWE-209

Published

10/2/2025

Updated

10/2/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/canonical/lxd	go	>= 4.0, < 5.21.4	5.21.4
github.com/canonical/lxd	go	>= 6.0, < 6.5	6.5
github.com/canonical/lxd	go	>= 0.0.0-20200331193331-03aab09f5b5c, < 0.0.0-20250827065555-0494f5d47e41	0.0.0-20250827065555-0494f5d47e41

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allows unauthenticated users to determine the existence of projects in LXD by observing different HTTP status codes from the /1.0/images API endpoint. A request for a non-existent project would yield a 404 error, while a request for an existing but unauthorized project would result in a 403 error. This information leak is caused by improper error handling in the imagesGet function located in lxd/images.go. The provided patch addresses this by reorganizing the logic to handle untrusted users early. Specifically, for an unauthenticated user requesting a non-default project, the patched code now consistently returns a generic 404 Not Found response, regardless of the project's actual existence. This makes it impossible to distinguish between non-existent and unauthorized projects, thus mitigating the vulnerability. The primary vulnerable function is lxd.imagesGet as it is the API handler containing the flawed logic that was patched.

Vulnerable functions

lxd.imagesGet

lxd/images.go

The `imagesGet` function, which handles the `/1.0/images` API endpoint, had a flaw in its error handling for unauthenticated requests. It would return a `404 Not Found` error for a non-existent project but a `403 Forbidden` for an existing project that the user was not authorized to see. This difference in response codes created an information disclosure vulnerability, allowing an attacker to enumerate project names. The patch rectifies this by ensuring that for unauthenticated users, a generic `404 Not Found` is returned for any non-default project, thereby making the responses consistent and closing the information leak.

WAF Protection Rules

WAF Rule

### Imp**t T** LX* /*.*/im***s *n*point is impl*m*nt** *s *n *llowUntrust** *PI t**t r*quir*s no *ut**nti**tion, m*kin* it ****ssi*l* to us*rs wit*out ***ounts. T*is *PI *llows **t*rminin* proj**t *xist*n** t*rou** *i***r*n**s in *TTP st*tus *o**s w*

Reasoning

T** vuln*r**ility *llows un*ut**nti**t** us*rs to **t*rmin* t** *xist*n** o* proj**ts in LX* *y o*s*rvin* *i***r*nt *TTP st*tus *o**s *rom t** `/*.*/im***s` *PI *n*point. * r*qu*st *or * non-*xist*nt proj**t woul* yi*l* * *** *rror, w*il* * r*qu*st *

5.3

Basic Information

Concerned about an active attack path?

CVE-2025-54291: Canonical LXD Project Existence Determination Through Error Handling in Image Get Function

Impact

Reproduction Steps

Risk

Countermeasures

Patches

References

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI