{"id":"CVE-2025-24961","summary":"Insecure path traversal in filesystem and filesystem-nio2 storage backends in org.gaul S3Proxy","details":"org.gaul S3Proxy implements the S3 API and proxies requests. Users of the filesystem and filesystem-nio2 storage backends could unintentionally expose local files to users. This issue has been addressed in version 2.6.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.","aliases":["GHSA-2ccp-vqmv-4r4x"],"modified":"2026-05-19T03:24:15.469551Z","published":"2025-02-03T20:29:17.885Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/24xxx/CVE-2025-24961.json","cwe_ids":["CWE-22"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/24xxx/CVE-2025-24961.json"},{"type":"ADVISORY","url":"https://github.com/gaul/s3proxy/security/advisories/GHSA-2ccp-vqmv-4r4x"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-24961"},{"type":"FIX","url":"https://github.com/apache/jclouds/commit/b0819e0ef5e08c792a4d1724b938714ce9503aa3"},{"type":"FIX","url":"https://github.com/gaul/s3proxy/commit/86b6ee4749aa163a78e7898efc063617ed171980"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/jclouds","events":[{"introduced":"0"},{"fixed":"b0819e0ef5e08c792a4d1724b938714ce9503aa3"}],"database_specific":{"source":"REFERENCES"}}],"versions":["rel/jclouds-2.1.0-rc3","rel/jclouds-2.1.0","rel/jclouds-2.0.0-rc3","rel/jclouds-2.0.0","jclouds-1.9.0-rc2","jclouds-1.9.0","jclouds-1.6.0-alpha.4","jclouds-1.6.0-alpha.2","jclouds-1.6.0-alpha.1"],"database_specific":{"vanir_signatures_modified":"2026-05-19T03:24:15Z","vanir_signatures":[{"target":{"file":"apis/filesystem/src/main/java/org/jclouds/filesystem/predicates/validators/internal/FilesystemBlobKeyValidatorImpl.java","function":"validate"},"source":"https://github.com/apache/jclouds/commit/b0819e0ef5e08c792a4d1724b938714ce9503aa3","signature_version":"v1","signature_type":"Function","id":"CVE-2025-24961-2b2e9751","deprecated":false,"digest":{"function_hash":"125037986075280878767574516804789987634","length":297}},{"target":{"file":"apis/filesystem/src/main/java/org/jclouds/filesystem/predicates/validators/internal/FilesystemBlobKeyValidatorImpl.java"},"source":"https://github.com/apache/jclouds/commit/b0819e0ef5e08c792a4d1724b938714ce9503aa3","signature_version":"v1","signature_type":"Line","id":"CVE-2025-24961-375f2951","deprecated":false,"digest":{"line_hashes":["20069896787609228485977222211093440731","62371250332533914505006827101602181105","240300076344385683527240250032668309018"],"threshold":0.9}},{"target":{"file":"apis/filesystem/src/main/java/org/jclouds/filesystem/strategy/internal/FilesystemStorageStrategyImpl.java","function":"setBlobAccess"},"source":"https://github.com/apache/jclouds/commit/b0819e0ef5e08c792a4d1724b938714ce9503aa3","signature_version":"v1","signature_type":"Function","id":"CVE-2025-24961-39f534a3","deprecated":false,"digest":{"function_hash":"67762052579734638577474773291296400274","length":643}},{"target":{"file":"apis/filesystem/src/main/java/org/jclouds/filesystem/strategy/internal/FilesystemStorageStrategyImpl.java","function":"getContainerAccess"},"source":"https://github.com/apache/jclouds/commit/b0819e0ef5e08c792a4d1724b938714ce9503aa3","signature_version":"v1","signature_type":"Function","id":"CVE-2025-24961-6e052c09","deprecated":false,"digest":{"function_hash":"19473607715162460872740041224788012252","length":605}},{"target":{"file":"apis/filesystem/src/main/java/org/jclouds/filesystem/strategy/internal/FilesystemStorageStrategyImpl.java","function":"getBlobAccess"},"source":"https://github.com/apache/jclouds/commit/b0819e0ef5e08c792a4d1724b938714ce9503aa3","signature_version":"v1","signature_type":"Function","id":"CVE-2025-24961-73dd40db","deprecated":false,"digest":{"function_hash":"286968069799360268862141978955574225926","length":743}},{"target":{"file":"apis/filesystem/src/main/java/org/jclouds/filesystem/strategy/internal/FilesystemStorageStrategyImpl.java","function":"getBlob"},"source":"https://github.com/apache/jclouds/commit/b0819e0ef5e08c792a4d1724b938714ce9503aa3","signature_version":"v1","signature_type":"Function","id":"CVE-2025-24961-97c4e0a9","deprecated":false,"digest":{"function_hash":"75805626180805180172202597448144699799","length":3460}},{"target":{"file":"apis/filesystem/src/main/java/org/jclouds/filesystem/predicates/validators/internal/FilesystemContainerNameValidatorImpl.java","function":"validate"},"source":"https://github.com/apache/jclouds/commit/b0819e0ef5e08c792a4d1724b938714ce9503aa3","signature_version":"v1","signature_type":"Function","id":"CVE-2025-24961-9be4c3b0","deprecated":false,"digest":{"function_hash":"250535324545173049656043489211293678162","length":306}},{"target":{"file":"apis/filesystem/src/main/java/org/jclouds/filesystem/predicates/validators/internal/FilesystemContainerNameValidatorImpl.java"},"source":"https://github.com/apache/jclouds/commit/b0819e0ef5e08c792a4d1724b938714ce9503aa3","signature_version":"v1","signature_type":"Line","id":"CVE-2025-24961-c96f13c4","deprecated":false,"digest":{"line_hashes":["126125980402485448796146326140695003915","224570168591990480409201632737670047441","285659959648456572612365193748129775754"],"threshold":0.9}},{"target":{"file":"apis/filesystem/src/main/java/org/jclouds/filesystem/strategy/internal/FilesystemStorageStrategyImpl.java"},"source":"https://github.com/apache/jclouds/commit/b0819e0ef5e08c792a4d1724b938714ce9503aa3","signature_version":"v1","signature_type":"Line","id":"CVE-2025-24961-d9f2c3a8","deprecated":false,"digest":{"line_hashes":["280517820510689024097824445194336887208","30203255902698912541808272020523246101","142040613046567492067553862420793226348","126973426007487185210481810294035149874","245324513992746587961797861854829973340","104504010585023400006309866848722062519","114951288954325836199904617570139087345","301052261748996005994599213635338063250","235714288248837198298935600578189322672","36744216232531963065025813108610573473","322862239604969039113703932610313841072","135093614466465908930363233677412589691","292280653821993239457445542794671850305","25416287140116036650584491943812176514","164987452851581514832633053980903669931","230467111484523839231042036189096237840","300430498500291166495403003096786773443","255043961593155444222468768602442677698","114318875738460336790891770250104325888","149651680408205056768598205290179565718","294223657102792462059963930801879230483","227381495677402006585383556111549830100","326201561066977391029138156202953558883","27491761547388498299634878762132984810"],"threshold":0.9}},{"target":{"file":"apis/filesystem/src/main/java/org/jclouds/filesystem/strategy/internal/FilesystemStorageStrategyImpl.java","function":"setContainerAccess"},"source":"https://github.com/apache/jclouds/commit/b0819e0ef5e08c792a4d1724b938714ce9503aa3","signature_version":"v1","signature_type":"Function","id":"CVE-2025-24961-f4e31ce4","deprecated":false,"digest":{"function_hash":"246820201236669913389154704343751693929","length":621}},{"target":{"file":"apis/filesystem/src/main/java/org/jclouds/filesystem/strategy/internal/FilesystemStorageStrategyImpl.java","function":"getContainerMetadata"},"source":"https://github.com/apache/jclouds/commit/b0819e0ef5e08c792a4d1724b938714ce9503aa3","signature_version":"v1","signature_type":"Function","id":"CVE-2025-24961-f7f6f406","deprecated":false,"digest":{"function_hash":"118672305951905413403379917727390757484","length":505}}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-24961.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/gaul/s3proxy","events":[{"introduced":"0"},{"fixed":"86b6ee4749aa163a78e7898efc063617ed171980"}],"database_specific":{"source":"REFERENCES"}}],"versions":["s3proxy-2.5.0","s3proxy-2.4.1","s3proxy-2.4.0","s3proxy-2.3.0","s3proxy-2.2.0","s3proxy-2.1.0","s3proxy-2.0.0","s3proxy-1.9.0","s3proxy-1.8.0","s3proxy-1.7.1","s3proxy-1.7.0","s3proxy-1.6.2","s3proxy-1.6.1","s3proxy-1.6.0","s3proxy-1.5.5","s3proxy-1.5.4","s3proxy-1.5.3","s3proxy-1.5.2","s3proxy-1.5.1","s3proxy-1.5.0","s3proxy-1.5.0-prerelease","s3proxy-1.3.0","s3proxy-1.2.0","s3proxy-1.1.0","s3proxy-1.0.0"],"database_specific":{"vanir_signatures_modified":"2026-05-19T03:24:15Z","vanir_signatures":[{"target":{"file":"src/test/java/org/gaul/s3proxy/AwsSdkTest.java"},"source":"https://github.com/gaul/s3proxy/commit/86b6ee4749aa163a78e7898efc063617ed171980","signature_version":"v1","signature_type":"Line","id":"CVE-2025-24961-0d124826","deprecated":false,"digest":{"line_hashes":["21229688502263514735606727843342161595","65612849828031610880673901199691263293","196763071858339886562476345374599471254"],"threshold":0.9}},{"target":{"file":"src/main/java/org/gaul/s3proxy/nio2blob/AbstractNio2BlobStore.java","function":"removeBlob"},"source":"https://github.com/gaul/s3proxy/commit/86b6ee4749aa163a78e7898efc063617ed171980","signature_version":"v1","signature_type":"Function","id":"CVE-2025-24961-3ac1f5c0","deprecated":false,"digest":{"function_hash":"37649104372284271263985405246626672800","length":305}},{"target":{"file":"src/main/java/org/gaul/s3proxy/nio2blob/AbstractNio2BlobStore.java","function":"getBlob"},"source":"https://github.com/gaul/s3proxy/commit/86b6ee4749aa163a78e7898efc063617ed171980","signature_version":"v1","signature_type":"Function","id":"CVE-2025-24961-4d985be6","deprecated":false,"digest":{"function_hash":"33950228511935049175872429163422521220","length":6012}},{"target":{"file":"src/main/java/org/gaul/s3proxy/nio2blob/AbstractNio2BlobStore.java","function":"setBlobAccess"},"source":"https://github.com/gaul/s3proxy/commit/86b6ee4749aa163a78e7898efc063617ed171980","signature_version":"v1","signature_type":"Function","id":"CVE-2025-24961-69855920","deprecated":false,"digest":{"function_hash":"92853780792644939022387166985358695799","length":629}},{"target":{"file":"src/main/java/org/gaul/s3proxy/nio2blob/AbstractNio2BlobStore.java","function":"list"},"source":"https://github.com/gaul/s3proxy/commit/86b6ee4749aa163a78e7898efc063617ed171980","signature_version":"v1","signature_type":"Function","id":"CVE-2025-24961-c275aead","deprecated":false,"digest":{"function_hash":"147629936195235924088360560202661383292","length":1548}},{"target":{"file":"src/main/java/org/gaul/s3proxy/nio2blob/AbstractNio2BlobStore.java"},"source":"https://github.com/gaul/s3proxy/commit/86b6ee4749aa163a78e7898efc063617ed171980","signature_version":"v1","signature_type":"Line","id":"CVE-2025-24961-c91ed9c4","deprecated":false,"digest":{"line_hashes":["41087815277347753411819879610421205228","275855042814933013467492909438721533667","312804813036527476642676292194330309391","96738636897754905132804164816271294202","131096829020060187486617738340902988692","129133302359956553490750484558950146665","117734457270716812888527366278886941463","83488289998961277477929071883812078030","236626223533865729278873307190750761038","170542215954916925451346665794548418079","300799456308590080409979882777397627821","38656440638012592394652799956195779148","317216151654293636114550124181885451819","310858983857465187506607005788088814625","185727769176109565661854696127325783412","83495174938195041049882572672754053006","23414431107968208900655079730396395446","163307058602580085480996886660506501140","130881530733780496870306208541747085184","220190953617487047309270345180295037885","23414431107968208900655079730396395446","163307058602580085480996886660506501140","130881530733780496870306208541747085184","254173289947192452944743262721288674032","262668990511459673939218760000903252866","97272808899398788133918807529629980964"],"threshold":0.9}},{"target":{"file":"src/main/java/org/gaul/s3proxy/nio2blob/AbstractNio2BlobStore.java","function":"getBlobAccess"},"source":"https://github.com/gaul/s3proxy/commit/86b6ee4749aa163a78e7898efc063617ed171980","signature_version":"v1","signature_type":"Function","id":"CVE-2025-24961-d9c8bd81","deprecated":false,"digest":{"function_hash":"30850073682757949044954122981579722170","length":473}},{"target":{"file":"src/main/java/org/gaul/s3proxy/nio2blob/AbstractNio2BlobStore.java","function":"putBlob"},"source":"https://github.com/gaul/s3proxy/commit/86b6ee4749aa163a78e7898efc063617ed171980","signature_version":"v1","signature_type":"Function","id":"CVE-2025-24961-eeea50cf","deprecated":false,"digest":{"function_hash":"20996456641727449954408095975812358094","length":2929}}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-24961.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}]}