GHSA-47qw-ccjm-9c2c: 
Java vulnerability analysis and mitigation

The LocalS3 project, which implements an S3-compatible storage interface, contains an XML External Entity (XXE) Injection vulnerability (GHSA-47qw-ccjm-9c2c) discovered in version 1.20. The vulnerability was identified in March 2025 and affects the XML parsing functionality when processing multipart upload operations. The issue allows attackers to read local system files and potentially make outbound network connections due to improper configuration of XML parser settings (GitHub Advisory).

The vulnerability exists because the XML parser is configured to process external entities and DTD declarations without proper restrictions. The XML parser settings in the application did not disable DTD processing or external entity loading, making it susceptible to XXE attacks. The vulnerability has been assigned a CVSS v4 base score of 6.9 (Moderate severity), with attack vector being Network, attack complexity Low, and requiring no privileges or user interaction (GitHub Advisory).

An attacker can exploit this vulnerability to read arbitrary files from the server's filesystem and exfiltrate their contents through outbound HTTP requests. The vulnerability requires no authentication and can be exploited by anyone who can send requests to the LocalS3 server. This could lead to exposure of sensitive information including configuration files, credentials, and other confidential data stored on the server (GitHub Advisory).

The vulnerability has been patched in version 1.21. Mitigations include disabling DTD processing in the XML parser configuration, disabling the ability to load external entities and external DTDs if DTD processing is required, implementing XML parsing with secure defaults using JAXP's XMLConstants.FEATURE_SECURE_PROCESSING feature, and setting up proper input validation and sanitization for all XML processing operations (GitHub Commit, GitHub Advisory).