High severityNVD Advisory· Published Oct 2, 2025· Updated Feb 26, 2026

Privilege Escalation via WebSocket Connection Hijacking in LXD Operations API

CVE-2025-54289

Description

Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/canonical/lxdGo	>= 4.0, < 5.21.4	5.21.4
github.com/canonical/lxdGo	>= 6.0, < 6.5	6.5
github.com/canonical/lxdGo	>= 0.0.0-20200331193331-03aab09f5b5c, < 0.0.0-20250827065555-0494f5d47e41	0.0.0-20250827065555-0494f5d47e41

Affected products

Canonical (company)/Lxdv5
Range: 6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-3g72-chj4-2228ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-54289ghsaADVISORY
github.com/canonical/lxd/security/advisories/GHSA-3g72-chj4-2228ghsaWEB
pkg.go.dev/vuln/GO-2025-3999ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000