CVE-2025-54291

MEDIUM

Canonical Lxd < 5.21.4 - Error Information Exposure

Title source: rule

Description

Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.

References (1)

[Exploit, Vendor Advisory] https://github.com/canonical/lxd/security/advisories/GHSA-xch9-h8qw-85c7

Scores

CVSS v3 5.3

EPSS 0.0008

EPSS Percentile 22.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-209

Status published

Affected Products (2)

canonical/lxd < 5.21.4

canonical/lxd < 5.21.4Go

Timeline

Published Oct 02, 2025

Tracked Since Feb 18, 2026