GHSA-v232-254c-m6p7: LocalS3 Project Vulnerable to XML External Entity (XXE) Injection via Bucket Tagging API

The LocalS3 project, an S3-compatible storage service, is vulnerable to XML External Entity (XXE) injection through its bucket tagging API. The vulnerability exists because the application processes XML input without properly disabling external entity resolution.

When processing XML data for bucket tagging operations, the application allows the definition and resolution of external entities. This vulnerability allows an attacker to read arbitrary files from the server’s filesystem by defining an external entity that references local files.

The vulnerability is particularly severe because it allows direct access to sensitive files on the server’s filesystem, bypassing any intended access controls. The XXE vulnerability can be exploited to read any file that the application process has access to, potentially exposing sensitive configuration files, credentials, or other confidential information.