CVE-2025-54291

MEDIUM

Canonical Lxd < 5.21.4 - Error Information Exposure

Title source: rule

Description

Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.

References (1)

[Exploit, Vendor Advisory] https://github.com/canonical/lxd/security/advisories/GHSA-xch9-h8qw-85c7

Scores

CVSS v3 5.3

EPSS 0.0009

EPSS Percentile 26.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-209

Status published

Products (2)

canonical/lxd 4.0 - 5.21.4Go

canonical/lxd 4.0.0 - 5.21.4

Published Oct 02, 2025

Tracked Since Feb 18, 2026