CVE-2025-54289 | THREATINT

Description

Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format

PUBLISHED Reserved 2025-07-18 | Published 2025-10-02 | Updated 2025-10-03 | Assigner canonical

HIGH: 7.4CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-1385: Missing Origin Validation in WebSockets

Product status

Default status

unaffected

6 (semver) before 6.5

affected

5.21 (semver) before 5.21.4

affected

Credits

GMO Flatt Security Inc.

References

github.com/...al/lxd/security/advisories/GHSA-3g72-chj4-2228 exploit

github.com/...al/lxd/security/advisories/GHSA-3g72-chj4-2228

cve.org (CVE-2025-54289)

nvd.nist.gov (CVE-2025-54289)

Download JSON