CVE-2025-27088

oxyno-zeta/s3-proxy is an aws s3 proxy written in go. In affected versions a Reflected Cross-site Scripting (XSS) vulnerability enables attackers to create malicious URLs that, when visited, inject scripts into the web application. This can lead to session hijacking or phishing attacks on a trusted domain, posing a moderate risk to all users. It's possible to inject html elements, including scripts through the folder-list template. The affected template allows users to interact with the URL path provided by the `Request.URL.Path` variable, which is then rendered directly into the HTML without proper sanitization or escaping. This can be abused by attackers who craft a malicious URL containing injected HTML or JavaScript. When users visit such a URL, the malicious script will be executed in the user's context. This issue has been addressed in version 4.18.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/oxyno-zeta/s3-proxy/blob/master/templates/folder-list.tpl#L19C21-L19C38	Product
https://github.com/oxyno-zeta/s3-proxy/commit/c611c741ed4872ea3f46232be23bb830f96f9564	Patch
https://github.com/oxyno-zeta/s3-proxy/security/advisories/GHSA-pp9m-qf39-hxjc	Exploit Vendor Advisory
https://github.com/oxyno-zeta/s3-proxy/security/advisories/GHSA-pp9m-qf39-hxjc	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:oxyno-zeta:s3-proxy::::::helm::*
	cpe:2.3:a:oxyno-zeta:s3-proxy::::::docker::*
	cpe:2.3:a:oxyno-zeta:s3-proxy::::::go::*

History

20 May 2025, 16:47

Type	Values Removed	Values Added
CPE		cpe:2.3:a:oxyno-zeta:s3-proxy::::::helm::* cpe:2.3:a:oxyno-zeta:s3-proxy::::::docker::* cpe:2.3:a:oxyno-zeta:s3-proxy::::::go::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.2
First Time		Oxyno-zeta Oxyno-zeta s3-proxy
References	~~() https://github.com/oxyno-zeta/s3-proxy/blob/master/templates/folder-list.tpl#L19C21-L19C38 -~~	() https://github.com/oxyno-zeta/s3-proxy/blob/master/templates/folder-list.tpl#L19C21-L19C38 - Product
References	~~() https://github.com/oxyno-zeta/s3-proxy/commit/c611c741ed4872ea3f46232be23bb830f96f9564 -~~	() https://github.com/oxyno-zeta/s3-proxy/commit/c611c741ed4872ea3f46232be23bb830f96f9564 - Patch
References	~~() https://github.com/oxyno-zeta/s3-proxy/security/advisories/GHSA-pp9m-qf39-hxjc -~~	() https://github.com/oxyno-zeta/s3-proxy/security/advisories/GHSA-pp9m-qf39-hxjc - Exploit, Vendor Advisory

21 Feb 2025, 22:15

Type	Values Removed	Values Added
References	~~() https://github.com/oxyno-zeta/s3-proxy/security/advisories/GHSA-pp9m-qf39-hxjc -~~	() https://github.com/oxyno-zeta/s3-proxy/security/advisories/GHSA-pp9m-qf39-hxjc -
Summary		(es) oxyno-zeta/s3-proxy es un proxy de AWS S3 escrito en Go. En las versiones afectadas, una vulnerabilidad de Cross-site Scripting (XSS) reflejado permite a los atacantes crear URL maliciosas que, cuando se visitan, inyectan secuencias de comandos en la aplicación web. Esto puede provocar secuestros de sesión o ataques de phishing en un dominio de confianza, lo que supone un riesgo moderado para todos los usuarios. Es posible inyectar elementos HTML, incluidas secuencias de comandos, a través de la plantilla de lista de carpetas. La plantilla afectada permite a los usuarios interactuar con la ruta de URL proporcionada por la variable `Request.URL.Path`, que luego se representa directamente en el HTML sin la depuración o el escape adecuados. Los atacantes pueden abusar de esto y manipular una URL maliciosa que contenga HTML o JavaScript inyectado. Cuando los usuarios visitan una URL de este tipo, la secuencia de comandos maliciosa se ejecutará en el contexto del usuario. Este problema se ha solucionado en la versión 4.18.1 y se recomienda a todos los usuarios que actualicen. No existen workarounds para esta vulnerabilidad.

20 Feb 2025, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-20 23:15

Updated : 2025-05-20 16:47

NVD link : CVE-2025-27088

Mitre link : CVE-2025-27088

CVE.ORG link : CVE-2025-27088

JSON object : View

Products Affected

oxyno-zeta

s3-proxy

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-27088", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-02-20T23:15:13.397", "references": [{"url": "https://github.com/oxyno-zeta/s3-proxy/blob/master/templates/folder-list.tpl#L19C21-L19C38", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/oxyno-zeta/s3-proxy/commit/c611c741ed4872ea3f46232be23bb830f96f9564", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/oxyno-zeta/s3-proxy/security/advisories/GHSA-pp9m-qf39-hxjc", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/oxyno-zeta/s3-proxy/security/advisories/GHSA-pp9m-qf39-hxjc", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "oxyno-zeta/s3-proxy is an aws s3 proxy written in go. In affected versions a Reflected Cross-site Scripting (XSS) vulnerability enables attackers to create malicious URLs that, when visited, inject scripts into the web application. This can lead to session hijacking or phishing attacks on a trusted domain, posing a moderate risk to all users. It's possible to inject html elements, including scripts through the folder-list template. The affected template allows users to interact with the URL path provided by the `Request.URL.Path` variable, which is then rendered directly into the HTML without proper sanitization or escaping. This can be abused by attackers who craft a malicious URL containing injected HTML or JavaScript. When users visit such a URL, the malicious script will be executed in the user's context. This issue has been addressed in version 4.18.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "oxyno-zeta/s3-proxy es un proxy de AWS S3 escrito en Go. En las versiones afectadas, una vulnerabilidad de Cross-site Scripting (XSS) reflejado permite a los atacantes crear URL maliciosas que, cuando se visitan, inyectan secuencias de comandos en la aplicaci\u00f3n web. Esto puede provocar secuestros de sesi\u00f3n o ataques de phishing en un dominio de confianza, lo que supone un riesgo moderado para todos los usuarios. Es posible inyectar elementos HTML, incluidas secuencias de comandos, a trav\u00e9s de la plantilla de lista de carpetas. La plantilla afectada permite a los usuarios interactuar con la ruta de URL proporcionada por la variable `Request.URL.Path`, que luego se representa directamente en el HTML sin la depuraci\u00f3n o el escape adecuados. Los atacantes pueden abusar de esto y manipular una URL maliciosa que contenga HTML o JavaScript inyectado. Cuando los usuarios visitan una URL de este tipo, la secuencia de comandos maliciosa se ejecutar\u00e1 en el contexto del usuario. Este problema se ha solucionado en la versi\u00f3n 4.18.1 y se recomienda a todos los usuarios que actualicen. No existen workarounds para esta vulnerabilidad."}], "lastModified": "2025-05-20T16:47:38.910", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oxyno-zeta:s3-proxy:*:*:*:*:*:helm:*:*", "vulnerable": true, "matchCriteriaId": "DC2BCAB2-D2F7-46CC-8087-E68FA3609FB4", "versionEndExcluding": "2.23.1"}, {"criteria": "cpe:2.3:a:oxyno-zeta:s3-proxy:*:*:*:*:*:docker:*:*", "vulnerable": true, "matchCriteriaId": "026713EC-4018-46F3-A31B-388B7CADE215", "versionEndExcluding": "4.18.1"}, {"criteria": "cpe:2.3:a:oxyno-zeta:s3-proxy:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "ADFAF1FF-DF4A-45CE-BA47-BE305908167B", "versionEndExcluding": "4.18.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}

8.2 /10