CVE-2025-27088: 
vulnerability analysis and mitigation

A Reflected Cross-site Scripting (XSS) vulnerability was discovered in oxyno-zeta/s3-proxy, an AWS S3 proxy written in Go. The vulnerability was assigned CVE-2025-27088 and was disclosed on February 20, 2025. The vulnerability affects versions prior to 4.18.1, allowing attackers to create malicious URLs that, when visited, inject scripts into the web application through the folder-list template (GitHub Advisory).

The vulnerability exists in the folder-list template implementation where the Request.URL.Path variable is rendered directly into the HTML without proper sanitization or escaping. The affected template allows users to interact with the URL path, which can be exploited by crafting malicious URLs containing injected HTML or JavaScript. The vulnerability has been assigned a CVSS v4.0 score of 8.4 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N (GitHub Advisory).

When users visit a maliciously crafted URL, the injected script executes in the user's context, potentially leading to session hijacking where attackers could steal session cookies or other sensitive information. Additionally, the vulnerability could be exploited for phishing attacks by injecting JavaScript to trick users into submitting sensitive information such as login credentials on a trusted domain (GitHub Advisory).

The vulnerability has been patched in version 4.18.1 of s3-proxy. All users are advised to upgrade to this version. There are no known workarounds for this vulnerability (GitHub Advisory).