Ddos 
MinIO, a high-performance object storage server compatible with Amazon S3, has released a patch to address a critical security vulnerability. The vulnerability, tracked as CVE-2025-31489, involves incomplete signature validation for unsigned-trailer uploads, posing a significant risk to users.
The core issue lies in how MinIO handles authorization. The “signature component of the authorization may be invalid,” which can allow a malicious client to upload objects using any arbitrary secret. To exploit this, the attacker needs prior WRITE permissions on the bucket, knowledge of the access-key, and the bucket name.
The security advisory emphasizes the severity of this flaw: “This is a high priority vulnerability and users must upgrade ASAP“. With the necessary information, exploiting this vulnerability to upload unauthorized objects to buckets is described as “trivial and easy via curl“.
The affected MinIO version is RELEASE.2023-05-18T00-05-36Z.
A patch is available to correct this vulnerability. The patched version is RELEASE.2025-04-03T14-56-28Z.
Aworkaround is suggested: “Reject requests with x-amz-content-sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER for now at LB layer, ask application users to use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER“.
Given the high severity of this vulnerability, MinIO users are strongly advised to upgrade to the patched version as soon as possible to mitigate the risk of unauthorized uploads and potential data compromise.
Related Posts:
- CISA warns of MinIO privilege escalation flaw exploited in attacks
- CVE-2024-55949 (CVSS 9.3): Critical MinIO Flaw Allows Any User to Gain Full Admin Privileges
- CVE-2023-28432: High severity security vulnerability in MinIO
- CVE-2024-36138: High-Severity Vulnerability in Node.js Allows Code Execution on Windows
- Cisco IOx application hosting environment command injection flaw
Donate