CVE-2025-62506

Name of the Vulnerable Software and Affected Versions MinIO versions prior to RELEASE.2025-10-15T17-29-55Z

Description MinIO, a high-performance object storage system, contains a privilege escalation vulnerability in its IAM (Identity and Access Management) policy validation logic. The flaw affects service accounts and STS (Security Token Service) accounts with restricted session policies. Specifically, the vulnerability arises from an incorrect reliance on the DenyOnly argument when validating session policies. When a session policy is present, the system should verify that an action is explicitly allowed, not just that it isn't denied. An attacker with valid credentials for a restricted account can create a new service account without policy restrictions, gaining full parent privileges and potentially accessing, modifying, or deleting data beyond their authorized scope. The vulnerability exists in the cmd/iam.go file, within the isAllowedBySessionPolicyForServiceAccount and isAllowedBySessionPolicy functions. Approximately 786,000 instances of MinIO are potentially exposed.

Recommendations Update MinIO to version RELEASE.2025-10-15T17-29-55Z or later. Review all service accounts created by non-admin accounts. Revoke any service accounts that may have been created through exploitation. Check access logs for unauthorized access to sensitive buckets.