CVE-2025-53513: 
NixOS vulnerability analysis and mitigation

The vulnerability (CVE-2025-53513) affects the Juju controller's /charms endpoint, which was discovered in July 2025. The vulnerability stems from insufficient authorization checks that allow any authenticated user with a controller account to upload charms without specific permissions. This vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High) (NVD, Ubuntu).

The vulnerability exists in three charm-related HTTP API endpoints exposed by the controller: PUT/GET /model-/charms/-, POST/GET /model-/charms, and GET /charms on port 17070. These endpoints accept Basic HTTP authentication credentials from any valid user within the controller context, without performing specific permission checks. The vulnerability combines a zip slip issue within the juju/utils dependency with insufficient authorization controls in the charm upload functionality (GitHub Advisory, Miggo).

An attacker with a basic Juju account on a controller can upload malicious charms that exploit a Zip Slip vulnerability. This could allow the attacker to gain unauthorized access to machines running units through the affected charm, potentially compromising the system's confidentiality, integrity, and availability (Ubuntu, GitHub Advisory).

There are no known workarounds for this vulnerability. The issue has been patched in Juju versions 2.9.52 and 3.6.8. Organizations are advised to upgrade to these patched versions to protect against potential exploitation (GitHub Advisory).