CVE-2025-54289

Name of the Vulnerable Software and Affected Versions Canonical LXD versions prior to 6.5 Canonical LXD version 5.21 through 5.21.4

Description A privilege escalation issue exists in the operations API of Canonical LXD. An attacker with read permissions can hijack terminal or console sessions and execute arbitrary commands. This is achieved by exploiting WebSocket connection hijacking format, utilizing secret values obtained from the operations API. The attacker needs to obtain secret values used for WebSocket connections when retrieving information about running operations. Successful attacks require specific timing, where the attacker hijacks the WebSocket connection while a victim with higher privileges has an active terminal or console session. The risk is considered relatively low due to the critical timing requirements. The issue is addressed by excluding WebSocket connection secret information from operations API responses for read-only users.

Recommendations Update to LXD version 6.5 or later. Update to LXD version 5.21.4 or later.