S3-Proxy has Security Issues in its Resource Path Matching Implementation — CVE-2026-42882
GitHub · GitHub · CVE-2026-42882
ID
CVE-2026-42882
CVE-2026-42882
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
critical
critical
CVSS
9.4
9.4
EPSS
0.00124
0.00124
Summary
## Background The original concern is functional: a resource pattern should treat a percent-encoded segment like some%2Fvalue as a single opaque token rather than splitting it into two path segments at the decoded /. Investigation into why %2F was being decoded and how routes matched against the result surfaced three related security issues, documented below. Rather than landing a fix directly, the problem space…
Product
go: github.com/oxyno-zeta/s3-proxy
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.