Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFS_CORS_ALLOWED_ORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origin value back as Access-Control-Allow-Origin and also sets Access-Control-Allow-Credentials: true and Access-Control-Allow-Headers: * on responses, including preflight responses and error responses. This creates a permissive cross-domain policy with untrusted origins. A browser visiting an attacker-controlled page can issue credentialed cross-origin requests to a reachable RustFS deployment and read the response when the victim browser has ambient credentials for the RustFS origin, such as saved HTTP Basic Auth credentials, reverse-proxy SSO cookies, or TLS client certificates. This vulnerability is fixed in 1.0.0-beta.2.
AnalysisAI
CORS origin reflection in RustFS's S3 listener exposes stored object data to cross-origin theft via browser-credentialed requests against all versions prior to 1.0.0-beta.2. When the RUSTFS_CORS_ALLOWED_ORIGINS environment variable is unset - the default state - the ConditionalCorsLayer middleware reflects any incoming Origin header verbatim as Access-Control-Allow-Origin while simultaneously asserting Access-Control-Allow-Credentials: true and Access-Control-Allow-Headers: *, including on preflight and error responses, nullifying the browser's same-origin policy protections. An unauthenticated attacker (PR:N) who lures a victim with ambient RustFS credentials to a malicious web page can exfiltrate object storage contents; no confirmed active exploitation (CISA KEV) and no public exploit identified at time of analysis. The fix is vendor-released in 1.0.0-beta.2.
Technical ContextAI
RustFS is a distributed, S3-compatible object storage system written in Rust. The vulnerable component is the ConditionalCorsLayer middleware within the S3 listener - a Tower-based HTTP middleware layer responsible for injecting CORS response headers. When RUSTFS_CORS_ALLOWED_ORIGINS is unset, the layer enters a fully permissive mode: it echoes the request's Origin header back as Access-Control-Allow-Origin (origin reflection), pairs this with Access-Control-Allow-Credentials: true, and wildcards Access-Control-Allow-Headers. Per the CORS specification, browsers permit cross-origin JavaScript to read responses only when the server reflects the exact request origin alongside the credentials flag - precisely the condition this misconfiguration creates. CWE-306 (Missing Authentication for Critical Function) applies in the sense that the CORS gate - which functions as an access-control boundary for browser-originated cross-domain requests - is entirely absent when the environment variable is not configured, effectively treating all origins as trusted. The CPE cpe:2.3:a:rustfs:rustfs:*:*:*:*:*:*:*:* with no version floor indicates every released version before 1.0.0-beta.2 carries this behavior.
RemediationAI
Upgrade to RustFS 1.0.0-beta.2 - the vendor-released patch confirmed by GitHub Security Advisory GHSA-x5xv-223c-8vm7 at https://github.com/rustfs/rustfs/security/advisories/GHSA-x5xv-223c-8vm7. This is the definitive fix and should be prioritized on any deployment reachable from browsers or reverse proxies carrying user credentials. As an immediate compensating control prior to patching, explicitly set the RUSTFS_CORS_ALLOWED_ORIGINS environment variable to a restrictive, allowlisted set of trusted origins (e.g., RUSTFS_CORS_ALLOWED_ORIGINS=https://trusted-dashboard.example.com); this disables the reflection behavior by giving the ConditionalCorsLayer an explicit list to match against. Trade-off: this requires knowing all legitimate cross-origin consumers in advance and will break any unlisted origins. If cross-origin browser access to RustFS is not required at all, configure a reverse proxy (nginx, Caddy, HAProxy) to strip or override CORS response headers before they reach clients, or add a WAF rule to block OPTIONS preflight requests from untrusted origins. Additionally, audit browser credential exposure: revoke or rotate HTTP Basic Auth credentials and SSO session cookies scoped to the RustFS origin, as these are the specific credential classes exploitable in this attack. TLS client certificate bindings to the RustFS origin should also be reviewed if applicable.
RustFS (alpha.13 to alpha.78) has a path traversal in /rustfs/rpc/read_file_stream that allows reading arbitrary files o
RustFS (alpha.13 to alpha.78) has a privilege escalation where restricted service accounts can self-issue unrestricted c
Stored XSS in RustFS distributed object storage system before 1.0.0-alpha.83. Malicious JavaScript persists in stored ob
Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permis
RustFS versions 1.0.0-alpha.1 through 1.0.0-alpha.79 expose the shared HMAC secret in server logs when processing invali
Authentication bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) allows unauthenticated remot
Privilege escalation in RustFS distributed object storage before 1.0.0-beta.2 lets a low-privileged user holding ImportI
Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0
License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded
Cross-tenant object injection in RustFS 1.0.0-beta.4 lets a tenant holding only PutObject rights on their own bucket wri
Information disclosure in RustFS, a Rust-based distributed object storage system, lets any authenticated user with no ef
Insufficient input validation in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 allows authenticated attackers to
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32999