Description
SeaweedFS before 4.34 contains a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler that allows authenticated S3 principals with write access to a single bucket to delete arbitrary objects in other tenants' buckets by supplying object keys containing ../ sequences in the DeleteObjects XML request body. Attackers can bypass authorization controls through a confused deputy condition, as the validateRequestPath middleware only inspects URL-captured path variables and never examines request-body keys, allowing the filer path to collapse directory traversal sequences and resolve deletions outside the authorized bucket.
Problem types
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Product status
Any version before 4.34
Credits
George Chen
References
github.com/...weedfs/security/advisories/GHSA-w62w-66v9-vvgv
github.com/seaweedfs/seaweedfs/releases/tag/4.34 (Release Notes)
github.com/seaweedfs/seaweedfs/pull/9931 (Fix PR)
github.com/...ommit/0345658ea8e7c6a3948ad190634b00866ec244c9 (Fix Commit)
github.com/...weedfs/security/advisories/GHSA-w62w-66v9-vvgv (Prior advisory (CVE-2026-54917) - incompletely fixed)
github.com/geo-chen/oss/blob/main/seaweedfs.md (Researcher Disclosure)
www.vulncheck.com/...ion-via-deleteobjects-request-body-keys