Vulnerability DatabaseCVE-2025-27136

CVE-2025-27136:
Java vulnerability analysis and mitigation

Overview

LocalS3, an Amazon S3 mock service for testing and local development, was found to contain a vulnerability in its bucket creation endpoint prior to version 1.21. The vulnerability (CVE-2025-27136) was discovered in March 2025 and involves an XML External Entity (XXE) injection vulnerability that affects the CreateBucketConfiguration XML document processing. This security issue allows attackers to perform server-side request forgery (SSRF) attacks through malicious XML input (GitHub Advisory).

Technical details

The vulnerability occurs during the location constraint processing, where the XML parser is configured to resolve external entities without proper validation or restrictions. When processing the CreateBucketConfiguration XML document, the service's XML parser resolves external entities, allowing attackers to declare an external entity that references an internal URL. The server then attempts to fetch this URL when parsing the XML, making HTTP requests to the specified URL and including the response content in the parsed XML document. The vulnerability has been assigned a CVSS 4.0 score of 5.5 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P (NVD).

Impact

The vulnerability enables attackers to perform server-side request forgery (SSRF) attacks, allowing them to make requests to internal services or resources that should not be accessible from external networks. The server includes the responses from these internal requests in the resulting bucket configuration, effectively leaking sensitive information. The attacker only needs to be able to send HTTP requests to the LocalS3 service to exploit this vulnerability (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been fixed in version 1.21 by disabling XML external entity resolution in the XML parser configuration. The fix includes setting XMLInputFactory.SUPPORTDTD to FALSE and XMLInputFactory.ISSUPPORTINGEXTERNALENTITIES to FALSE. Additional recommended mitigations include implementing proper input validation for XML documents, rejecting those that contain DOCTYPE declarations or external entity references, and using XML parsers that are configured securely by default (GitHub Commit).

Additional resources

Source: This report was generated using AI

Related Java vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-14306	CRITICAL	10	Java	net.sf.robocode:robocode.core	No	Yes	Dec 09, 2025
CVE-2025-14307	CRITICAL	9.3	Java	net.sf.robocode:robocode.battle	No	Yes	Dec 09, 2025
CVE-2025-66566	HIGH	8.2	Java	at.yawk.lz4:lz4-java	No	Yes	Dec 05, 2025
CVE-2025-66623	HIGH	7.4	Java	io.strimzi:strimzi	No	Yes	Dec 05, 2025
GHSA-93fv-4pm9-xp28	MEDIUM	6.9	Java	net.dv8tion:jda	No	Yes	Dec 09, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2025-27136: Java vulnerability analysis and mitigation