CVE-2025-54288: 
NixOS vulnerability analysis and mitigation

Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed process names in the command line. The vulnerability was discovered and disclosed on October 2, 2025, and is tracked as CVE-2025-54288 (NVD).

The vulnerability exists in the findContainerForPID function in lxd/api_devlxd.go, where the source container identification process relies on process cmdline information. The function identifies senders through two steps: cmdline-based identification and PID namespace-based identification. The issue has been assigned a CVSS v4.0 score of 5.1 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N, indicating network accessibility with low attack complexity but requiring high privileges (Miggo, GitHub Advisory).

The vulnerability enables attackers to perform unauthorized access to container information, including theft of other containers' metadata, configuration details, and device information through the devLXD API endpoints. This is particularly concerning in environments where multiple projects run containers on the same LXD host, as it can lead to inter-project information leakage. The attack requires root privileges within any container to execute (GitHub Advisory).

The vulnerability has been patched in LXD versions 6.5 and 5.21.4. The fix involves modifying the implementation to use cmdline information only when the PID namespace of the target process matches the PID namespace of the process running LXD. For versions 5.0 and 4.0, the issue has been marked as 'not critical' and 'EOL not critical' respectively (GitHub Advisory).