MinIO, a high-performance object storage server compatible with Amazon S3, has released a patch to address a critical security vulnerability. The vulnerability, tracked as CVE-2025-31489, involves incomplete signature validation for unsigned-trailer uploads, posing a significant risk to users.
The core issue lies in how MinIO handles authorization. The βsignature component of the authorization may be invalid,β which can allow a malicious client to upload objects using any arbitrary secret. To exploit this, the attacker needs prior WRITE permissions on the bucket, knowledge of the access-key, and the bucket name.
The security advisory emphasizes the severity of this flaw: βThis is a high priority vulnerability and users must upgrade ASAPβ. With the necessary information, exploiting this vulnerability to upload unauthorized objects to buckets is described as βtrivial and easy via curlβ.
The affected MinIO version is RELEASE.2023-05-18T00-05-36Z.
A patch is available to correct this vulnerability. The patched version is RELEASE.2025-04-03T14-56-28Z.
Aworkaround is suggested: βReject requests with x-amz-content-sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER for now at LB layer, ask application users to use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILERβ.
Given the high severity of this vulnerability, MinIO users are strongly advised to upgrade to the patched version as soon as possible to mitigate the risk of unauthorized uploads and potential data compromise.