GHSA-p3x5-mvmp-5f35
Canonical LXD Project Existence Determination Through Error Handling in Image Export Function
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
github.com/canonical/lxd🐹github.com/canonical/lxd🐹github.com/canonical/lxdReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Impact
In LXD's images export API (/1.0/images/{fingerprint}/export), implementation differences in error handling allow determining project existence without authentication.
Specifically, in the following code, errors when multiple images match are directly returned to users as API responses:
While fingerprints generally don't duplicate, this functionality uses fingerprints with LIKE clauses, allowing prefix specification. Therefore, using LIKE wildcards such as % will match multiple images if multiple images exist in the project.
In the above implementation, multiple matches result in a 500 error, but if the project itself doesn't exist, there are 0 matches and a 404 is returned.
- When project exists and multiple images match: HTTP 500 error "More than one image matches"
- When project doesn't exist: HTTP 404 error "not found"
This behavioural difference allows attackers to confirm project existence without authentication.
Reproduction Steps
- Send a request with a pattern matching multiple entries to an existing project (default):
curl -k 'https://lxd-host:8443/1.0/images/%25/export?project=default&secret=x'
Response:
{"type":"error","status":"","status_code":0,"operation":"","error_code":500,"error":"More than one image matches","metadata":null}
- Send a same request to a non-existent project (not-exist):
curl -k 'https://lxd-host:8443/1.0/images/%25/export?project=not-exist&secret=x'
Response:
{"type":"error","status":"","status_code":0,"operation":"","error_code":404,"error":"not found","metadata":null}
This difference allows enumerating existing projects in the system by brute-forcing(dictionary attack) project names.
Note that %25 is the URL encoding of %, which works as a wildcard matching all characters in SQL LIKE clauses.
This is used to intentionally create requests matching multiple images to trigger a 500 error.
Additionally, the secret parameter is added to include non-public images in the search, increasing the possibility of multiple matches.
Risk
The attack requires only network access to the LXD API endpoint, with no authentication needed.
The attack allows confirming the existence of projects within the LXD system by exploiting differences in HTTP status codes. This could potentially increase the exploitability of other vulnerabilities. Additionally, since project IDs often use meaningful names set by users, this could lead to leakage of unpublished product information.
However, resource information within projects cannot be obtained, limiting the impact to existence confirmation only.
Countermeasures
It is recommended to modify error handling in the images export API (/1.0/images/{fingerprint}/export) to return consistent responses regardless of project existence.
Specifically, return 404 even when errors occur during project existence verification. This ensures the same error response is returned for both existing and non-existing projects, preventing determination of project existence.
Additionally, if there are no specification(compatibility) issues, allowing only exact fingerprint matches in unauthenticated states and disabling prefix matching can prevent unexpected errors from occurring.
Patches
| LXD Series | Status |
|---|---|
| 6 | Fixed in LXD 6.5 |
| 5.21 | Fixed in LXD 5.21.4 |
| 5.0 | Ignored - Not critical |
| 4.0 | Ignored - EOL and not critical |
References
Reported by GMO Flatt Security Inc.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/canonical/lxd | ≥ 4.0&&< 5.21.4 | 5.21.4 |
| 🐹Go | github.com/canonical/lxd | ≥ 6.0&&< 6.5 | 6.5 |
| 🐹Go | github.com/canonical/lxd | ≥ 0.0.0-20200331193331-03aab09f5b5c&&< 0.0.0-20250827065555-0494f5d47e41 | 0.0.0-20250827065555-0494f5d47e41 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/canonical/lxd. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/canonical/lxd to 5.21.4 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-p3x5-mvmp-5f35 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-p3x5-mvmp-5f35 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-p3x5-mvmp-5f35. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-p3x5-mvmp-5f35 in your dependencies?
O3 detects GHSA-p3x5-mvmp-5f35 across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.