Reflected Cross-site Scripting in S3 Proxy by Oxyno Zeta
CVE-2025-27088

8.4HIGH

Key Information:

Vendor

Oxyno-zeta

Status
S3-proxy
Vendor
CVE Published:
20 February 2025

What is CVE-2025-27088?

The S3 Proxy application developed by Oxyno Zeta is susceptible to a reflected cross-site scripting (XSS) vulnerability in certain versions. This security issue allows attackers to craft malicious URLs that, when accessed, execute arbitrary scripts within the user's browser session. Given that the affected application renders user-supplied URL paths into HTML without adequate sanitization, it permits the insertion of harmful HTML or JavaScript elements. Consequently, users visiting these links may unwittingly trigger session hijacking or phishing attacks, impacting their data security. To mitigate this risk, it is crucial for users to upgrade to version 4.18.1, as no effective workarounds currently exist.

Affected Version(s)

s3-proxy < 4.18.0

References

https://github.com/oxyno-zeta/s3-proxy/security/advisorie...
x_refsource_CONFIRM
https://github.com/oxyno-zeta/s3-proxy/commit/c611c741ed4...
x_refsource_MISC
https://github.com/oxyno-zeta/s3-proxy/blob/master/templa...
x_refsource_MISC

CVSS V4

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.