CVE-2025-27088: S3-Proxy allows Reflected Cross-site Scripting (XSS) in template implementation
(updated )
A Reflected Cross-site Scripting (XSS) vulnerability enables attackers to create malicious URLs that, when visited, inject scripts into the web application. This can lead to session hijacking or phishing attacks on a trusted domain, posing a high risk to all users.
References
- github.com/advisories/GHSA-pp9m-qf39-hxjc
- github.com/oxyno-zeta/s3-proxy
- github.com/oxyno-zeta/s3-proxy/blob/master/templates/folder-list.tpl
- github.com/oxyno-zeta/s3-proxy/commit/c611c741ed4872ea3f46232be23bb830f96f9564
- github.com/oxyno-zeta/s3-proxy/releases/tag/v4.18.1
- github.com/oxyno-zeta/s3-proxy/security/advisories/GHSA-pp9m-qf39-hxjc
- nvd.nist.gov/vuln/detail/CVE-2025-27088
Code Behaviors & Features
Detect and mitigate CVE-2025-27088 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →