CVE-2025-0928

Description

In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned binaries to new or upgraded machines, potentially resulting in remote code execution.

CVSS Metrics

• v3.1•HIGH•Score: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 2.32%• Percentile: 85%

Techniques & Countermeasures

• CWE-285•Improper Authorization

  The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

• CWE-434•Unrestricted Upload of File with Dangerous Type

  The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Affected Systems

• canonical•juju

  ≥ 2.0.0, < 2.9.52 | ≥ 3.0.0, < 3.6.8 | < 2.9.52 | ≥ 3.0, < 3.6.8

• github.com/juju•juju

  < 0.0.0-20250619215741-4034aa13c7cf | all

References (8)

• https://github.com/juju/juju/security/advisories/GHSA-4vc8-wvhw-m5gv
• https://nvd.nist.gov/vuln/detail/CVE-2025-0928
• https://github.com/juju/juju/commit/22cdcf6b54c2f371822e1c203d4f341be6c9589e
• https://github.com/juju/juju/commit/311e374cb8d2431032c51fb3fb5c4b0aaaa7196c
• https://github.com/juju/juju/commit/4034aa13c7cf5a37427fcd032925d5d21955b096
• https://github.com/juju/juju/commit/b4176e6e45c2c3c817ab60b39e2d52f9a11a5ddf
• https://github.com/juju/juju
• https://pkg.go.dev/vuln/GO-2025-3805