CVE-2025-54292

NameCVE-2025-54292
DescriptionPath traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended resources via crafted resource names embedded in URL paths.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
incus (PTS)trixie6.0.4-2vulnerable
forky6.0.5-1vulnerable
sid6.0.5-2vulnerable
lxd (PTS)bookworm5.0.2-5vulnerable
trixie5.0.2+git20231211.1364ae4-9vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
incussource(unstable)(unfixed)
lxdsource(unstable)(unfixed)

Notes

https://github.com/canonical/lxd/security/advisories/GHSA-7425-4qpj-v4w3

Search for package or bug name: Reporting problems