CVE-2025-54289

NameCVE-2025-54289
DescriptionPrivilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
incus (PTS)trixie6.0.4-2vulnerable
forky6.0.5-1vulnerable
sid6.0.5-2vulnerable
lxd (PTS)bookworm5.0.2-5vulnerable
trixie5.0.2+git20231211.1364ae4-9vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
incussource(unstable)(unfixed)
lxdsource(unstable)(unfixed)

Notes

https://github.com/canonical/lxd/security/advisories/GHSA-3g72-chj4-2228
Search for package or bug name: Reporting problems