Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Network-reachable S3 API, low complexity, requires a valid bucket-scoped identity (PR:L); scope changes as the caller crosses its authorization boundary, yielding high confidentiality only with no integrity or availability impact.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
SeaweedFS is a distributed storage system. Prior to 4.34, the S3 API gateway does not reject dot-dot path segments in the X-Amz-Copy-Source header used by CopyObject and UploadPartCopy, allowing an authenticated identity scoped to one bucket to read objects from other buckets through server-side copy. This issue is fixed in version 4.34.
AnalysisAI
Cross-bucket object disclosure in SeaweedFS S3 API gateway (versions prior to 4.34) allows an authenticated identity scoped to a single bucket to read objects from other buckets by injecting dot-dot (../) path segments into the X-Amz-Copy-Source header of CopyObject and UploadPartCopy requests. Because the gateway performs a server-side copy without normalizing or rejecting traversal segments, the bucket-level access boundary is bypassed. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid SeaweedFS S3 identity (PR:L authenticated per the CVSS vector) that is scoped to at least one bucket, and the deployment must expose the S3 API gateway with CopyObject and/or UploadPartCopy operations reachable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, base 7.7 High) is internally consistent and credible: the attack is network-reachable, low-complexity, requires low privilege (a valid but bucket-scoped S3 identity), needs no user interaction, and produces a changed-scope high-confidentiality impact - precisely matching a tenant escaping its bucket boundary to read other tenants' data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A tenant is issued S3 credentials scoped only to their own bucket in a shared SeaweedFS deployment. They send a CopyObject (or UploadPartCopy) request with an X-Amz-Copy-Source header like 'my-bucket/../victim-bucket/secret.key', and the gateway resolves the dot-dot segment to fetch the target object from another tenant's bucket into a location they control, disclosing its contents. … |
| Remediation | Vendor-released patch: SeaweedFS 4.34 - upgrade the S3 gateway and associated components to 4.34 or later (https://github.com/seaweedfs/seaweedfs/releases/tag/4.34), which rejects dot-dot path segments in the X-Amz-Copy-Source header; the underlying fix is in pull request https://github.com/seaweedfs/seaweedfs/pull/9929 and commit b44cf51fe931bd75aa4d37ae766bea90d7f85ccd. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all SeaweedFS deployments and identify instances running versions prior to 4.34. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42285