CVE-2025-68153 Overview
CVE-2025-68153 is an Improper Authorization vulnerability (CWE-863) affecting Juju, an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called 'charms'. The vulnerability allows any authenticated user, machine, or controller under a Juju controller to modify the resources of an application within the entire controller, regardless of their actual authorization level.
Critical Impact
Any authenticated entity can modify application resources across the entire Juju controller, potentially leading to unauthorized configuration changes, resource manipulation, and compromise of orchestrated infrastructure.
Affected Products
- Juju versions 2.9 to before 2.9.56
- Juju versions 3.6 to before 3.6.19
Discovery Timeline
- 2026-04-03 - CVE-2025-68153 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2025-68153
Vulnerability Analysis
This vulnerability stems from improper authorization controls in the Juju resource management API. The flaw allows authenticated users to bypass intended access restrictions and modify resources belonging to applications they should not have access to. In a multi-tenant or multi-application Juju deployment, this breaks the security model by enabling lateral movement and unauthorized modifications across application boundaries.
The vulnerability is exploitable over the network by any authenticated entity, including users, machines, or controllers operating under a Juju controller. The impact is primarily on integrity, as attackers can modify resources without authorization, potentially affecting the operational state and configuration of deployed applications.
Root Cause
The root cause is a missing authorization check in the resource upload functionality. Prior to the patch, the API did not properly verify that users had write permissions before allowing them to upload or modify resources. This improper access control (CWE-863) meant that any authenticated user could perform resource operations regardless of their actual permission level within the controller hierarchy.
Attack Vector
The attack vector is network-based with low complexity. An attacker with any level of authentication to the Juju controller can exploit this vulnerability by:
- Authenticating to the Juju controller with any valid credentials
- Sending API requests to modify resources of applications they shouldn't have access to
- The server processes these requests without proper authorization validation
- Resources are modified, potentially compromising application integrity
The security patch adds proper permission checks to ensure only users with write permissions can upload or modify resources. Below is the relevant code from the fix:
import (
"io"
"slices"
"strings"
"github.com/juju/charm/v8"
charmresource "github.com/juju/charm/v8/resource"
"github.com/juju/errors"
"github.com/juju/names/v4"
"gopkg.in/errgo.v1"
"gopkg.in/macaroon.v2"
"github.com/juju/juju/api/base"
Source: GitHub Commit
The patch introduces the slices and errgo packages to implement proper authorization validation, ensuring write permission checks are enforced before resource operations.
Detection Methods for CVE-2025-68153
Indicators of Compromise
- Unexpected modifications to application resources by users without appropriate permissions
- Audit logs showing resource upload or modification requests from unauthorized accounts
- Changes to charm resources that were not initiated through approved change management processes
- API access patterns showing cross-application resource manipulation
Detection Strategies
- Review Juju controller audit logs for resource modification events from unexpected sources
- Monitor API calls to resource endpoints for unusual access patterns or privilege misuse
- Implement alerting on resource changes that don't correlate with authorized deployment activities
- Compare resource state against known-good baselines to detect unauthorized modifications
Monitoring Recommendations
- Enable comprehensive audit logging on Juju controllers to capture all resource operations
- Implement SIEM integration to correlate Juju API activity with user authentication events
- Set up alerts for resource modifications outside of maintenance windows
- Regularly review access patterns to identify potential abuse of the authorization bypass
How to Mitigate CVE-2025-68153
Immediate Actions Required
- Upgrade Juju to version 2.9.56 or later for the 2.9.x branch
- Upgrade Juju to version 3.6.19 or later for the 3.6.x branch
- Review audit logs for any suspicious resource modification activity prior to patching
- Verify the integrity of application resources after upgrading
Patch Information
The vulnerability has been addressed in Juju versions 2.9.56 and 3.6.19. The fix implements proper write permission validation before allowing resource upload operations. The security patch is available through the official Juju GitHub repository.
For detailed patch information, see:
Workarounds
- Restrict network access to Juju controllers to trusted administrative networks only
- Implement additional network segmentation to limit the blast radius of potential exploitation
- Review and minimize the number of authenticated users with access to Juju controllers
- Consider implementing additional monitoring and alerting while awaiting patch deployment
# Upgrade Juju to patched version
sudo snap refresh juju --channel=2.9/stable
# Or for 3.6 branch:
sudo snap refresh juju --channel=3.6/stable
# Verify installed version
juju version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
