CVE-2025-27088
Published: 20 February 2025
Summary
CVE-2025-27088 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Oxyno-Zeta S3-Proxy. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates filtering of information prior to display to users, directly preventing reflected XSS by escaping or sanitizing the unsanitized Request.URL.Path rendered in the folder-list template.
Requires protections against cross-site scripting exploits in publicly accessible web systems like the S3 proxy, comprehensively addressing this reflected XSS vulnerability.
Enforces validation of inputs such as the Request.URL.Path to reject malicious HTML/JavaScript payloads before they are processed and rendered.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing S3 proxy (T1190) allows unsanitized URL path rendering for script injection; directly facilitates browser session hijacking (T1185) via execution in trusted domain context leading to potential cookie/token theft.
NVD Description
oxyno-zeta/s3-proxy is an aws s3 proxy written in go. In affected versions a Reflected Cross-site Scripting (XSS) vulnerability enables attackers to create malicious URLs that, when visited, inject scripts into the web application. This can lead to session hijacking or…
more
phishing attacks on a trusted domain, posing a moderate risk to all users. It's possible to inject html elements, including scripts through the folder-list template. The affected template allows users to interact with the URL path provided by the `Request.URL.Path` variable, which is then rendered directly into the HTML without proper sanitization or escaping. This can be abused by attackers who craft a malicious URL containing injected HTML or JavaScript. When users visit such a URL, the malicious script will be executed in the user's context. This issue has been addressed in version 4.18.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Deeper analysisAI
CVE-2025-27088 is a Reflected Cross-site Scripting (XSS) vulnerability, classified under CWE-79, in oxyno-zeta/s3-proxy, an AWS S3 proxy implemented in Go. The flaw resides in the folder-list template, where the `Request.URL.Path` variable is directly rendered into HTML without sanitization or escaping, enabling injection of arbitrary HTML elements, including scripts, in affected versions prior to the fix.
Attackers without privileges (PR:N) can exploit this over the network (AV:N) by crafting malicious URLs embedding JavaScript or HTML payloads. Exploitation requires a user interaction (UI:R), such as visiting the URL, which triggers execution of the injected script in the victim's browser context on the trusted domain. This can facilitate session hijacking or phishing attacks, with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N) indicating high confidentiality impact due to changed scope.
The GitHub security advisory (GHSA-pp9m-qf39-hxjc) confirms the issue was fixed in version 4.18.1 via commit c611c741ed4872ea3f46232be23bb830f96f9564, which addresses the vulnerable rendering in the folder-list.tpl template at lines 19:21-19:38. Users are advised to upgrade immediately, as no workarounds are available.
Details
- CWE(s)