CVE-2025-53512

CVE-2025-53512 is a medium-severity security vulnerability in github.com/juju/juju (go), affecting versions < 0.0.0-20250619024904-402ff008dcc2. It is fixed in 0.0.0-20250619024904-402ff008dcc2.

Summary

Details

The /log endpoint is accessible at the following endpoints:

  • wss://<controller-ip>/log
  • wss://<controller-ip>/model/<model-uuid>/log

In order to connect to these endpoints, the client must pass an X-Juju-Client-Version header that matches the current version and pass credentials in a Basic Authorization header. Once connected, the service will stream log events even though the user is not authorised to view them.

To reproduce:

juju bootstrap
juju add-user testuser
juju change-user-password testuser

Run the wscat command below to
connect to wss://<controller-ip>:17070/api. Update the JSON payload to include the username and password that were created above.

wscat --no-check -c wss://contorller-ip:17070/model/modelUUID/api
{ "type": "Admin", "request": "Login", "version": 3, "params": { "client-
version": "3.6.1.0", "auth-tag": "user-testuser", "credentials": "
password" } }

Observe that the connection fails due to a lack of permissions.

Run the command below to connect to the log endpoint. Note that the credentials are passed in the --auth flag.

wscat --auth user-testuser:password -H "X-Juju-ClientVersion: 3.6.4" --no-check -c wss://<controller-ip>:17070/log

Observe that the logs are returned in the server’s response.

Code

The /log handlers are registered here
https://github.com/juju/juju/blob/3.6/apiserver/apiserver.go#L867
https://github.com/juju/juju/blob/3.6/apiserver/apiserver.go#L980

And the only auth required is that the incoming request be for an authenticated user

https://github.com/juju/juju/blob/3.6/apiserver/apiserver.go#L713

but no specific permission checks are done.

Workarounds

There are no workarounds.

References

F-01

Impact

Any user with a Juju account on a controller can read debug log messages from the /log endpoint.
No specific permissions are required - it's just sufficient for the user to exist in the controller user database.
The log messages may contain sensitive information.

CVE-2025-53512 has a CVSS score of 6.5 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.0.0-20250619024904-402ff008dcc2); upgrading removes the vulnerable code path.

Affected versions

github.com/juju/juju (< 0.0.0-20250619024904-402ff008dcc2)

Security releases

github.com/juju/juju → 0.0.0-20250619024904-402ff008dcc2 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade github.com/juju/juju to 0.0.0-20250619024904-402ff008dcc2 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2025-53512? CVE-2025-53512 is a medium-severity security vulnerability in github.com/juju/juju (go), affecting versions < 0.0.0-20250619024904-402ff008dcc2. It is fixed in 0.0.0-20250619024904-402ff008dcc2.
  2. How severe is CVE-2025-53512? CVE-2025-53512 has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/juju/juju are affected by CVE-2025-53512? github.com/juju/juju (go) versions < 0.0.0-20250619024904-402ff008dcc2 is affected.
  4. Is there a fix for CVE-2025-53512? Yes. CVE-2025-53512 is fixed in 0.0.0-20250619024904-402ff008dcc2. Upgrade to this version or later.
  5. Is CVE-2025-53512 exploitable, and should I be worried? Whether CVE-2025-53512 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2025-53512 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2025-53512? Upgrade github.com/juju/juju to 0.0.0-20250619024904-402ff008dcc2 or later.

Other vulnerabilities in github.com/juju/juju

CVE-2026-5774CVE-2026-5412CVE-2025-68153CVE-2025-68152CVE-2026-4370

Stop the waste.
Protect your environment with Kodem.