Main Vulnerability Database Vulnerabilities #VU125580

#VU125580 Path traversal in lxd - CVE-2025-54292

Published: April 9, 2026

Vulnerability identifier: #VU125580

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-54292

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
lxd

Software vendor:
Linux Containers

Description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper input validation in URL path construction in lxd-ui when embedding user-controlled resource names in URL paths. A remote user can create a malicious resource name containing path traversal sequences to disclose sensitive information.

User interaction is required, and exploitation occurs when another user performs operations on the crafted resource, causing path normalization to switch to a different project or resource.

Remediation

Install security update from vendor's website.

External links

https://github.com/canonical/lxd/security/advisories/GHSA-7425-4qpj-v4w3

#VU125580 Path traversal in lxd - CVE-2025-54292

Description

Remediation

External links

Please verify you're human