CVE-2025-54293: 
NixOS vulnerability analysis and mitigation

A path traversal vulnerability (CVE-2025-54293) was discovered in the log file retrieval function of Canonical LXD 5.0 LTS on Linux. The vulnerability was identified on October 2, 2025, affecting authenticated remote users who have access to LXD instances. The issue specifically impacts the validLogFileName function in lxd/instance_logs.go that validates log file names (NVD, GitHub Advisory).

The vulnerability exists in the validLogFileName function which insufficiently validates filenames starting with snapshot_ or migration_ prefixes. The function lacks proper validation for the portion after the prefix, enabling path traversal attacks. While Linux typically rejects path traversal attempts like /not_exist_folder/../exist_folder/ within system calls, the attack succeeds in this case because URL normalization by golang's filepath.Join is performed before the validation. The vulnerability has been assigned a CVSS v4.0 score of 7.1 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N (GitHub Advisory).

The vulnerability allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links. This can lead to unauthorized access to sensitive information including LXD host configuration files (/etc/passwd, /etc/shadow), LXD database files containing information about all projects and instances, configuration files and data of other instances, and other sensitive information on the host system (GitHub Advisory).

The vulnerability has been fixed in LXD versions 5.21.4 and 6.5. The fix implements proper validation through the shared.IsFileName function, which ensures filenames do not contain /, , or .. characters. For LXD 5.0 LTS and 4.0, while marked as 'Ignored - Not critical', users are strongly advised to upgrade to patched versions to ensure system security (GitHub Advisory).