Main Vulnerability Database Vulnerabilities #VU125580

Path traversal in lxd - CVE-2025-54292

Published: April 9, 2026

Vulnerability identifier: #VU125580

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-54292

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Linux Containers

Affected software:
lxd

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper input validation in URL path construction in lxd-ui when embedding user-controlled resource names in URL paths. A remote user can create a malicious resource name containing path traversal sequences to disclose sensitive information.

User interaction is required, and exploitation occurs when another user performs operations on the crafted resource, causing path normalization to switch to a different project or resource.

How to mitigate CVE-2025-54292

Install security update from vendor's website.

Sources

https://github.com/canonical/lxd/security/advisories/GHSA-7425-4qpj-v4w3

Path traversal in lxd - CVE-2025-54292

Detailed vulnerability description

How to mitigate CVE-2025-54292

Sources

Please verify you're human