DEBIAN-CVE-2025-54291

DEBIAN-CVE-2025-54291 PUBLISHED CVSS 5.300000190734863 MEDIUM

Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.

Risk Scores

CVSS v3.1

5.300000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected Products

Vendor	Product	Versions
Debian:12	lxd	*, 5.0.2-5+deb12u3, 5.0.2-5+deb12u4
Debian:14	incus	6.0.4-3, 0, 0
Debian:13	lxd	5.0.2+git20231211.1364ae4, 5.0.2+git20231211.1364ae4, 5.0.2+git20231211.1364ae4
Debian:13	incus	0, 6.0.4-2+deb13u1~bpo12+1, 0

Timeline

Oct 2, 2025 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2025-54291 advisory

Open in Interactive Console →