Argos83

**Name of the Vulnerable Software and Affected Versions** s3-proxy versions prior to 0.0.0-20260424211602-1320e4abd46a **Description** Inconsistent URL path normalization and routing logic lead to authorization bypasses, allowing unauthenticated access to protected objects. The issues stem from a mismatch between how the authentication middleware and the bucket handler process paths, specifically regarding percent-encoded characters and dot segments. Technical details include: - Path Wildcard Matching: The `glob.Compile()` function is called without a separator, causing the `*` wildcard to match across directory boundaries (including `/`), which allows requests to match open routes while targeting protected paths. - Percent-Encoded Slash Bypass: A mismatch occurs where the authentication middleware uses the encoded path (via `r.URL.RequestURI()`) while the bucket handler uses the decoded path (`r.URL.Path`). An attacker can use `%2F` to make a path appear as a single segment to the authenticator but as multiple segments to the handler, bypassing restrictions. - Path Traversal: When using prefix-style patterns with `**` (e.g., `/open/**`), the lack of path normalization allows dot-segment traversal (e.g., `/open/../restricted/`). The authentication middleware matches the raw path against the open prefix, while the bucket handler processes the resolved path, granting access to restricted namespaces. **Recommendations** Update s3-proxy to version 0.0.0-20260424211602-1320e4abd46a or later. As a temporary mitigation, review resource path definitions and replace `*` with `**` only where multi-segment matching is explicitly intended, and avoid using prefix-style patterns with `**` for open routes if path normalization is not guaranteed.