CVE-2025-54286 | THREATINT

Description

Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication.

PUBLISHED Reserved 2025-07-18 | Published 2025-10-02 | Updated 2025-10-03 | Assigner canonical

HIGH: 7.5CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Problem types

CWE-352 Cross-Site Request Forgery (CSRF)

Product status

Default status

unaffected

5.0 (semver) before 5.0.5

affected

5.21 (semver) before 5.21.4

affected

6.0 (semver) before 6.5

affected

Credits

GMO Flatt Security Inc.

References

github.com/...al/lxd/security/advisories/GHSA-p8hw-rfjg-689h exploit

github.com/...al/lxd/security/advisories/GHSA-p8hw-rfjg-689h

cve.org (CVE-2025-54286)

nvd.nist.gov (CVE-2025-54286)

Download JSON