ghsa-w2hg-2v4p-vmh6
Vulnerability from github
Published
2025-10-02 21:21
Modified
2025-10-02 21:21
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
7.1 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
Canonical LXD Arbitrary File Read via Template Injection in Snapshot Patterns
Details

Impact

In LXD's instance snapshot creation functionality, the Pongo2 template engine is used in the snapshots.pattern configuration for generating snapshot names. While code execution functionality has not been found in this template engine, it has file reading capabilities, creating a vulnerability that allows arbitrary file reading through template injection attacks.

Reproduction Steps

  1. Log in to LXD-UI with an account that has permissions to modify instance settings
  2. Set the following template injection payload in the instance snapshot pattern:

{% filter urlencode|slice:":100" %}{% include "/etc/passwd" %}{%endfilter %}

Note that the above template uses the Pongo2 template engine's include tag to read system files. It also uses urlencode and slice filters to bypass character count and type restrictions.

  1. Set scheduled snapshots to run every minute and wait for snapshot generation
  2. Wait about a minute and confirm that file contents can be obtained from the created snapshot name

Risk

The attack requires having configuration change permissions for LXD instances. The attack allows reading arbitrary files accessible with LXD process permissions. This could lead to leakage of the following information: -​ LXD host configuration files (/etc/passwd, /etc/shadow, etc.) -​ LXD database files (containing information about all projects and instances) -​ Configuration files and data of other instances -​ Sensitive information on the host system

Countermeasures

Pongo2 provides mechanisms for sandboxing templates.

Template sandboxing (directory patterns, banned tags/filters) ( https://github.com/flosch/pongo2/tree/master?tab=readme-ov-file#features )

This functionality allows banning specific tags and filters by generating a custom TemplateSet.

At minimum, the following tags are considered to pose a risk of file leakage on the LXD host when used. Therefore, banning these can provide countermeasures against file reading attacks. -​ include -​ ssi -​ extends -​ import

The deny-list approach is prone to vulnerability recurrence due to missed countermeasures or new feature additions. Therefore, as the safest approach, we recommend using an allow-list format to permit only necessary functions.

However, as far as our investigation shows, pongo2 does not have functionality to retrieve a list of registered tags or filters, nor does it provide means to implement an allow-list approach. Therefore, it is necessary to either forcibly obtain the registration list through reflection and ban anything not on the allow-list, or ban everything from the current implemented list since the library has not been updated for about two years.

In LXD's implementation, template injection attacks can be prevented by modifying the RenderTemplate function in shared/util.go to use a restricted TemplateSet as shown above.

Patches

| LXD Series | Status | | ------------- | ------------- | | 6 | Fixed in LXD 6.5 | | 5.21 | Fixed in LXD 5.21.4 | | 5.0 | Ignored - Not critical | | 4.0 | Ignored - EOL and not critical |

References

Reported by GMO Flatt Security Inc.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lxc/lxd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0"
            },
            {
              "fixed": "5.21.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lxc/lxd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0"
            },
            {
              "fixed": "6.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lxc/lxd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-20200331193331-03aab09f5b5c"
            },
            {
              "fixed": "0.0.0-20250827065555-0494f5d47e41"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54287"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-02T21:21:33Z",
    "nvd_published_at": "2025-10-02T10:15:38Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nIn LXD\u0027s instance snapshot creation functionality, the Pongo2 template engine is used in the `snapshots.pattern` configuration for generating snapshot names. While code execution functionality has not been found in this template engine, it has file reading capabilities, creating a vulnerability that allows arbitrary file reading through template injection attacks.\n\n### Reproduction Steps\n\n1. Log in to LXD-UI with an account that has permissions to modify instance settings\n2. Set the following template injection payload in the instance snapshot pattern:\n\n```\n{% filter urlencode|slice:\":100\" %}{% include \"/etc/passwd\" %}{%endfilter %}\n```\n\nNote that the above template uses the Pongo2 template engine\u0027s include tag to read system files. It also uses urlencode and slice filters to bypass character count and type restrictions.\n\n3. Set scheduled snapshots to run every minute and wait for snapshot generation\n4. Wait about a minute and confirm that file contents can be obtained from the created snapshot name\n\n### Risk\nThe attack requires having configuration change permissions for LXD instances.\nThe attack allows reading arbitrary files accessible with LXD process permissions. This could lead to leakage of the following information:\n-\u200b LXD host configuration files (/etc/passwd, /etc/shadow, etc.)\n-\u200b LXD database files (containing information about all projects and instances)\n-\u200b Configuration files and data of other instances\n-\u200b Sensitive information on the host system\n\n### Countermeasures\nPongo2 provides mechanisms for sandboxing templates.\n\n\u003e Template sandboxing (directory patterns, banned tags/filters)\n( https://github.com/flosch/pongo2/tree/master?tab=readme-ov-file#features )\n\nThis functionality allows banning specific tags and filters by generating a custom TemplateSet.\n\nAt minimum, the following tags are considered to pose a risk of file leakage on the LXD host when used. Therefore, banning these can provide countermeasures against file reading attacks.\n-\u200b include\n-\u200b ssi\n-\u200b extends\n-\u200b import\n\nThe deny-list approach is prone to vulnerability recurrence due to missed countermeasures or new feature additions. Therefore, as the safest approach, we recommend using an allow-list format to permit only necessary functions.\n\nHowever, as far as our investigation shows, pongo2 does not have functionality to retrieve a list of registered tags or filters, nor does it provide means to implement an allow-list approach. Therefore, it is necessary to either forcibly obtain the registration list through reflection and ban anything not on the allow-list, or ban everything from the current implemented list since the library has not been updated for about two years.\n\nIn LXD\u0027s implementation, template injection attacks can be prevented by modifying the `RenderTemplate` function in `shared/util.go` to use a restricted `TemplateSet` as shown above.\n\n### Patches\n\n| LXD Series  | Status |\n| ------------- | ------------- |\n| 6 | Fixed in LXD 6.5  |\n| 5.21 | Fixed in LXD 5.21.4  |\n| 5.0 | Ignored - Not critical  |\n| 4.0  | Ignored - EOL and not critical |\n\n### References\nReported by GMO Flatt Security Inc.",
  "id": "GHSA-w2hg-2v4p-vmh6",
  "modified": "2025-10-02T21:21:33Z",
  "published": "2025-10-02T21:21:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/canonical/lxd/security/advisories/GHSA-w2hg-2v4p-vmh6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54287"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/canonical/lxd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Canonical LXD Arbitrary File Read via Template Injection in Snapshot Patterns"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.