How to fix EUVD-2025-32641?

Within 30 days: Identify affected systems running images API in Canonical LXD and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Is Lxd affected by EUVD-2025-32641?

Organizations using images API in Canonical LXD should be aware of moderate risk from CVE-2025-54291 rated CVSS 5.3. Exploitation could compromise the security of affected deployments. Proof-of-concept code is publicly available.

EUVD-2025-32641

| CVE-2025-54291 MEDIUM

2025-10-02 [email protected]

GHSA-xch9-h8qw-85c7

5.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 13, 2026 - 19:12 euvd

EUVD-2025-32641

Analysis Generated

Mar 13, 2026 - 19:12 vuln.today

PoC Detected

Oct 24, 2025 - 14:11 vuln.today

Public exploit code

CVE Published

Oct 02, 2025 - 10:15 nvd

MEDIUM 5.3

Description

Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.

Analysis

Technical Context

Information disclosure occurs when an application inadvertently reveals sensitive data to unauthorized actors through error messages, logs, or improper access controls. This vulnerability is classified as Error Message Information Leak (CWE-209).

Affected Products

Affected products: Canonical Lxd

Remediation

Implement proper access controls. Sanitize error messages in production. Review logging practices to avoid capturing sensitive data.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +26

POC: +20

Vendor Status

Debian

incus

Release	Status	Fixed Version	Urgency
trixie	fixed	6.0.4-2+deb13u1	-
trixie (security)	fixed	6.0.4-2+deb13u4	-
forky, sid	fixed	6.0.5-8	-
(unstable)	fixed	6.0.5-1	-

lxd

Release	Status	Fixed Version	Urgency
bookworm	vulnerable	5.0.2-5+deb12u2	-
bookworm (security)	vulnerable	5.0.2-5+deb12u3	-
trixie	vulnerable	5.0.2+git20231211.1364ae4-9+deb13u2	-
trixie (security)	vulnerable	5.0.2+git20231211.1364ae4-9+deb13u3	-
(unstable)	fixed	(unfixed)	-

DSA-6027-1

EUVD-2025-32641 vulnerability details – vuln.today

Back

EUVD-2025-32641

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Debian

Share

EUVD-2025-32641

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Debian

Share

External POC / Exploit Code