XSS in Oxyno-zeta S3-proxy

CVE-2025-27088

oxyno-zeta/s3-proxy is an aws s3 proxy written in go. In affected versions a Reflected Cross-site Scripting (XSS) vulnerability enables attackers to create malicious URLs that, when visited, inject scripts into the web application. This ca…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.005 (66.1th percentile) — read the EPSS interpretation.

Affected products

Oxyno-zeta S3-proxy — versions < 4.18.0

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/oxyno-zeta/s3-proxy/security/advisories/GHSA-pp9m-qf39-hxjc (x_refsource_CONFIRM)
https://github.com/oxyno-zeta/s3-proxy/commit/c611c741ed4872ea3f46232be23bb830f96f9564 (x_refsource_MISC)
https://github.com/oxyno-zeta/s3-proxy/blob/master/templates/folder-list.tpl#L19C21-L19C38 (x_refsource_MISC)