CVE-2025-24961 MEDIUM

CVE-2025-24961: Insecure path traversal in filesystem and filesystem-nio2 storage backends in org.gaul S3Proxy

Vendor Gaul
Product s3proxy
Weakness CWE-22 · Path traversal
Published February 3, 2025
Last update February 12, 2025

CVSS base score

6.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

org.gaul S3Proxy implements the S3 API and proxies requests. Users of the filesystem and filesystem-nio2 storage backends could unintentionally expose local files to users. This issue has been addressed in version 2.6.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

February 3, 2025 CVE published
February 12, 2025 Record updated