CVE-2025-0928: 
NixOS vulnerability analysis and mitigation

In Juju versions prior to 3.6.8 and 2.9.52, a critical security vulnerability was discovered where any authenticated controller user could upload arbitrary agent binaries to any model or to the controller itself, without proper verification of model membership or required permissions. The vulnerability was identified with CVE-2025-0928 and was disclosed on July 8, 2025. This vulnerability affects all Juju installations running versions below 3.6.8 and 2.9.52 (GitHub Advisory, NVD).

The vulnerability stems from improper authorization checks in the Juju API server's tools upload handler. The system only verified that the user was authenticated with a user tag, without performing additional permission validations. The vulnerability received a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact on confidentiality, integrity, and availability. The issue is classified under CWE-285 (Improper Authorization) (GitHub Advisory, Miggo).

The vulnerability allows an attacker with basic user credentials to potentially compromise an entire Juju controller by uploading malicious binaries. These poisoned binaries can be executed on new machines or during system upgrades, potentially leading to complete system compromise. Through model migration, it's possible to affect other controllers that the attacker doesn't have direct access to. The impact is particularly severe as it can affect both new machine deployments and existing systems during upgrade processes (GitHub Advisory).

The vulnerability has been patched in Juju versions 3.6.8 and 2.9.52. Organizations running affected versions should immediately upgrade to these patched versions. The fix involves implementing proper authorization checks for the tools upload functionality, ensuring that only users with appropriate administrative privileges can upload agent binaries (GitHub Advisory).