CVE-2025-54289: 
NixOS vulnerability analysis and mitigation

A privilege escalation vulnerability was discovered in Canonical LXD's operations API affecting versions prior to 6.5. The vulnerability (CVE-2025-54289) was disclosed on October 2, 2025, and allows attackers with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking (GitHub Advisory).

The vulnerability stems from LXD's operations API including secret values necessary for WebSocket connections when retrieving information about running operations. These secret values are used for authentication of WebSocket connections for terminal and console sessions. The vulnerability has been assigned CWE-1385 (Missing Origin Validation in WebSockets) and received a CVSS v4.0 score of 7.4 (HIGH) with vector string CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N (GitHub Advisory).

The vulnerability allows attackers with read permissions to hijack terminal or console sessions opened by other users. Through this hijacking, attackers can execute arbitrary commands inside instances with the victim's privileges, effectively achieving privilege escalation (GitHub Advisory).

The vulnerability has been patched in LXD versions 6.5 and 5.21.4. The fundamental countermeasure implemented excludes WebSocket connection secret information from operations API responses for read-only users. This prevents attackers from obtaining secret values, making WebSocket connection hijacking impossible (GitHub Advisory).