XXE in Robothy Local-s3
CVE-2025-27136
LocalS3 is an Amazon S3 mock service for testing and local development. Prior to version 1.21, the LocalS3 service's bucket creation endpoint is vulnerable to XML External Entity (XXE) injection. When processing the CreateBucketConfigurati…
Vulnerability class: XXE (XML External Entity)
EPSS: 0.005 (38.8th percentile) — read the EPSS interpretation.
Affected products
- Robothy Local-s3 — versions < 1.21
Weakness classification (CWE)
Public proof-of-concept exploits
References
- security-advisories@github.com (x_refsource_CONFIRM)
- security-advisories@github.com (x_refsource_MISC)
Frequently asked questions
- What is CVE-2025-27136?
- CVE-2025-27136 is a vulnerability in Robothy Local-s3, classified under Improper Restriction of XML External Entity Reference (XXE). Published 2025-03-10.
- Is CVE-2025-27136 known to be exploited?
- 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.