Login Sign Up

CVE-2025-27088

8.2 HIGH
Cross-Site Scripting

📋 TL;DR

A reflected cross-site scripting (XSS) vulnerability in oxyno-zeta/s3-proxy allows attackers to craft malicious URLs that inject scripts into the web application. When users visit these URLs, the scripts execute in their context, potentially leading to session hijacking or phishing attacks. All users of affected versions are at risk.

💻 Affected Systems

Products:
  • oxyno-zeta/s3-proxy
Versions: All versions before 4.18.1
Operating Systems: All platforms running Go applications
Default Config Vulnerable: ⚠️ Yes
Notes: Any deployment using the vulnerable folder-list template is affected regardless of configuration.

📦 What is this software?

S3 Proxy by Oxyno Zeta

View all CVEs affecting S3 Proxy →

S3 Proxy by Oxyno Zeta

View all CVEs affecting S3 Proxy →

S3 Proxy by Oxyno Zeta

View all CVEs affecting S3 Proxy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal user sessions, perform actions as authenticated users, or redirect to phishing sites that appear legitimate due to the trusted domain context.

🟠

Likely Case

Session hijacking leading to unauthorized access to S3 resources, credential theft, or phishing attacks against users.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, though the vulnerability still exists in the codebase.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only crafting malicious URLs with script payloads in the path parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.18.1

Vendor Advisory: https://github.com/oxyno-zeta/s3-proxy/security/advisories/GHSA-pp9m-qf39-hxjc

Restart Required: Yes

Instructions:

1. Stop the s3-proxy service. 2. Update to version 4.18.1 or later using your package manager or by downloading from GitHub. 3. Restart the service.

🔧 Temporary Workarounds

No official workarounds

all

The vendor states there are no known workarounds for this vulnerability.

🧯 If You Can't Patch

  • Implement a web application firewall (WAF) with XSS protection rules to block malicious requests.
  • Restrict access to the s3-proxy interface to trusted users only using network segmentation or authentication.

🔍 How to Verify

Check if Vulnerable:

Check if your s3-proxy version is below 4.18.1 by examining the binary or configuration.

Check Version:

./s3-proxy --version or check the application logs for version information

Verify Fix Applied:

Confirm the installed version is 4.18.1 or higher and test that script injection in URL paths no longer executes.

📡 Detection & Monitoring

Log Indicators:

  • Unusual URL paths containing script tags or JavaScript code in access logs
  • Multiple failed requests with suspicious path parameters

Network Indicators:

  • HTTP requests with URL paths containing <script>, javascript:, or other XSS payloads

SIEM Query:

source="s3-proxy" AND (url="*<script>*" OR url="*javascript:*")

📊 Metadata

CVE ID: CVE-2025-27088
CVSS v3 Score: 8.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
CWE: CWE-79
EPSS Score: 0.22% exploit probability (44.2th percentile)
Published: February 20, 2025
Last Updated: May 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-27088, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)