CVE-2025-68152

CVE-2025-68152 is a medium-severity incorrect authorization vulnerability in github.com/juju/juju (go), affecting versions < 0.0.0-20250623030540-c91a1f404695. It is fixed in 0.0.0-20250623030540-c91a1f404695.

Summary

It is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level.

There is a debug log endpoint in the API server that allows streaming of logs off of the controller. To access this endpoint you must be authentication and either be a machine agent, controller agent, controller admin or have model read permission.

The problematic is the machine agent story. The rest of the other checks have a high enough degree of safety that an attacker can not move side ways in the controller when obtaining log files.

Details

A compromised workload machine is capable of obtaining logs for both the controller and any model under the controller at any log level they wish. A bad actor can use this information as signal for further attacks or possible gain secret information leaked out in debug and trace logs. On top of this they would also be able to receive the logs from the charm itself for which we have no control over.

  • here is where the authorizer is defined for the endpoint.
  • here is where the authorizer is checked.
  • here and onwards is the amount of information the attacker can gain access to.

PoC

If an attacker compromises a workload machine, they will have access to the agent.conf file containing the credentials. This can then be used to obtain debug logs for any part of the controller.

Impact

The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions. Typical impact: unauthorized data access or execution of privileged operations.

CVE-2025-68152 has a CVSS score of 4.9 (Medium). The vector is network-reachable, high privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.0.0-20250623030540-c91a1f404695); upgrading removes the vulnerable code path.

Affected versions

github.com/juju/juju (< 0.0.0-20250623030540-c91a1f404695)

Security releases

github.com/juju/juju → 0.0.0-20250623030540-c91a1f404695 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade github.com/juju/juju to 0.0.0-20250623030540-c91a1f404695 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2025-68152? CVE-2025-68152 is a medium-severity incorrect authorization vulnerability in github.com/juju/juju (go), affecting versions < 0.0.0-20250623030540-c91a1f404695. It is fixed in 0.0.0-20250623030540-c91a1f404695. The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions.
  2. How severe is CVE-2025-68152? CVE-2025-68152 has a CVSS score of 4.9 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/juju/juju are affected by CVE-2025-68152? github.com/juju/juju (go) versions < 0.0.0-20250623030540-c91a1f404695 is affected.
  4. Is there a fix for CVE-2025-68152? Yes. CVE-2025-68152 is fixed in 0.0.0-20250623030540-c91a1f404695. Upgrade to this version or later.
  5. Is CVE-2025-68152 exploitable, and should I be worried? Whether CVE-2025-68152 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2025-68152 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2025-68152? Upgrade github.com/juju/juju to 0.0.0-20250623030540-c91a1f404695 or later.

Other vulnerabilities in github.com/juju/juju

Stop the waste.
Protect your environment with Kodem.