CVE-2025-31489

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions MinIO versions prior to RELEASE.2025-04-03T14-56-28Z

Description The issue concerns an authorization flaw in MinIO, a high-performance object storage system. This flaw allows a client with prior WRITE permissions on a bucket to upload objects using any arbitrary secret, given that they have knowledge of the access-key and bucket name. With the necessary information in place, uploading random objects to buckets can be done easily.

Recommendations For versions prior to RELEASE.2025-04-03T14-56-28Z, update to RELEASE.2025-04-03T14-56-28Z or later to resolve the issue. As a temporary workaround, consider restricting WRITE permissions on buckets to minimize the risk of exploitation.

Exploit

Fix

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347

Related Identifiers

ALT-PU-2025-11659

ALT-PU-2025-11661

BDU:2025-11494

BIT-MINIO-2025-31489

CVE-2025-31489

GHSA-WG47-6JQ2-Q2HH

GO-2025-3594

OPENSUSE-SU-2025:14982-1

Affected Products

Alt Linux

Minio

Red Os

CVE-2025-31489

Weakness Enumeration

Related Identifiers

Affected Products

References · 32