CVE-2025-27136

Name of the Vulnerable Software and Affected Versions LocalS3 versions prior to 1.21

Description The issue concerns XML External Entity (XXE) injection in the bucket creation endpoint. When processing the CreateBucketConfiguration XML document, the service's XML parser resolves external entities without proper validation, allowing an attacker to declare an external entity that references an internal URL. This enables server-side request forgery (SSRF) attacks, making requests to internal services or resources that should not be accessible from external networks, and potentially leaking sensitive information.

Recommendations For versions prior to 1.21, update to version 1.21 or later to resolve the issue. As a temporary workaround, consider restricting access to the bucket creation endpoint to minimize the risk of exploitation. Avoid using the CreateBucketConfiguration XML document with external entities until the issue is resolved.