CVE-2025-27088

CVE-2025-27088 is a Reflected Cross-site Scripting (XSS) vulnerability, classified under CWE-79, in oxyno-zeta/s3-proxy, an AWS S3 proxy implemented in Go. The flaw resides in the folder-list template, where the `Request.URL.Path` variable is directly rendered into HTML without sanitization or escaping, enabling injection of arbitrary HTML elements, including scripts, in affected versions prior to the fix.

Attackers without privileges (PR:N) can exploit this over the network (AV:N) by crafting malicious URLs embedding JavaScript or HTML payloads. Exploitation requires a user interaction (UI:R), such as visiting the URL, which triggers execution of the injected script in the victim's browser context on the trusted domain. This can facilitate session hijacking or phishing attacks, with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N) indicating high confidentiality impact due to changed scope.

The GitHub security advisory (GHSA-pp9m-qf39-hxjc) confirms the issue was fixed in version 4.18.1 via commit c611c741ed4872ea3f46232be23bb830f96f9564, which addresses the vulnerable rendering in the folder-list.tpl template at lines 19:21-19:38. Users are advised to upgrade immediately, as no workarounds are available.