CVE-2025-54288

Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed process names in the command line.

CVSS

No CVSS.

References

Link	Resource
https://github.com/canonical/lxd/security/advisories/GHSA-7232-97c6-j525
https://github.com/canonical/lxd/security/advisories/GHSA-7232-97c6-j525

Configurations

No configuration.

History

02 Oct 2025, 14:15

Type	Values Removed	Values Added
References	~~() https://github.com/canonical/lxd/security/advisories/GHSA-7232-97c6-j525 -~~	() https://github.com/canonical/lxd/security/advisories/GHSA-7232-97c6-j525 -

02 Oct 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-10-02 10:15

Updated : 2025-10-02 19:11

NVD link : CVE-2025-54288

Mitre link : CVE-2025-54288

CVE.ORG link : CVE-2025-54288

JSON object : View

Products Affected

No product.

CWE

CWE-290

Authentication Bypass by Spoofing

{"id": "CVE-2025-54288", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security@ubuntu.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-10-02T10:15:38.887", "references": [{"url": "https://github.com/canonical/lxd/security/advisories/GHSA-7232-97c6-j525", "source": "security@ubuntu.com"}, {"url": "https://github.com/canonical/lxd/security/advisories/GHSA-7232-97c6-j525", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security@ubuntu.com", "description": [{"lang": "en", "value": "CWE-290"}]}], "descriptions": [{"lang": "en", "value": "Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed process names in the command line."}], "lastModified": "2025-10-02T19:11:46.753", "sourceIdentifier": "security@ubuntu.com"}