Volerion logoVolerion
Volerion logoVolerion

RustFS CORS Vulnerability in S3 Listener Allows Credentialed Cross-Origin Requests

Vulnerability

A vulnerability in RustFS versions prior to 1.0.0-beta.2 allows for permissive cross-origin resource sharing (CORS) policies when the RUSTFS_CORS_ALLOWED_ORIGINS variable is unset. In these versions, the S3 listener's ConditionalCorsLayer reflects any request Origin value back as Access-Control-Allow-Origin, and also includes Access-Control-Allow-Credentials: true and Access-Control-Allow-Headers: * in responses, including preflight and error responses. This behavior creates a cross-domain policy that can be exploited by a browser visiting an attacker-controlled page, allowing credentialed cross-origin requests to be sent to a RustFS deployment. The response can be read if the victim's browser has saved HTTP Basic Auth credentials, reverse-proxy SSO cookies, or TLS client certificates for the RustFS origin.

Impact

Exploitation allows an attacker to make credentialed cross-origin requests to the RustFS S3 listener, potentially accessing sensitive data or resources, depending on the nature of the request and the permissions of the authenticated user.

Reproduction

To reproduce this vulnerability, deploy RustFS version 1.0.0-beta.1 or earlier with the default CORS configuration, which does not set RUSTFS_CORS_ALLOWED_ORIGINS. This will allow any origin to be reflected back in the Access-Control-Allow-Origin header. Once the server is running, a browser can be used to visit an attacker-controlled page that sends a credentialed request to the RustFS server, including any ambient credentials such as HTTP Basic Auth, SSO cookies, or TLS client certificates. The response from the RustFS server can then be accessed, demonstrating the vulnerability.

Remediation

Users can update to RustFS version 1.0.0-beta.2 or later, where this vulnerability is fixed. Until then, it's recommended to manually set RUSTFS_CORS_ALLOWED_ORIGINS to a list of trusted origins and avoid exposing RustFS endpoints to browsers that may carry ambient credentials for the RustFS origin.

Added: May 28, 2026, 8:44 PM
Updated: May 28, 2026, 8:44 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
0.8
exploitability
7.5
remediation
0.0
relevance
9.2
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.