CVE-2025-31489
published 2025-04-03CVE-2025-31489: MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. The signature component of the authorization may be invalid…
PriorityP261high8.7CVSS 4.0
AVNACLATNPRNUINVCNVIHVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
2.33%
81.4th percentile
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRITE permissions on the bucket. Prior knowledge of access-key, and bucket name this user might have access
to - and an access-key with a WRITE permissions is necessary. However with relevant information in place, uploading random objects to buckets is trivial and easy via curl. This issue is fixed in RELEASE.2025-04-03T14-56-28Z.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | minio_minio | >= 0 < 0.0.0-20250403145552-8c70975283f9 | 0.0.0-20250403145552-8c70975283f9 |
| minio | minio | < RELEASE.2025-04-03T14-56-28Z | RELEASE.2025-04-03T14-56-28Z |
Detection & IOCsextracted from sources · hover to see the quote
otherx-amz-content-sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER
otherAuthorization: Credential=<access_key_id>/.../.../s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=test
otherX-Amz-Trailer: x-amz-checksum-crc32
otherContent-Encoding: aws-chunked
otherTrailer: x-amz-trailer-signature
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER MinIO Incomplete Signature Validation for Unsigned-Trailer Uploads (CVE-2025-31489)"; flow:established,to_server; http.method; content:"PUT"; http.header; content:"Signature|3d|"; content:"x-amz-content-sha256|3a 20|STREAMING-UNSIGNED-PAYLOAD-TRAILER"; fast_pattern; reference:url,github.com/minio/minio/security/advisories/GHSA-wg47-6jq2-q2hh; reference:cve,2025-31489; classtype:web-application-activity; sid:2061442; rev:1; metadata:affected_product MinIO, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_10, cve CVE_2025_31489, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, updated_at 2025_04_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Detect exploit attempts by matching HTTP PUT requests containing both 'Signature=' and the header value 'x-amz-content-sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER' — the Snort rule uses these as the primary fast_pattern indicators (sid:2061442).
- →The Nuclei template confirms a successful exploit by checking for HTTP 200 response AND the presence of both 'x-amz-id' and 'x-amz-request-id' in response headers — use this as a positive-exploitation matcher.
- →Shodan/FOFA fingerprinting for exposed MinIO instances: search for http.title:"minio console", app="minio-console", or title="minio console" to identify attack surface.
- →As a network-layer mitigation, reject/block inbound requests where the header 'x-amz-content-sha256' is set to 'STREAMING-UNSIGNED-PAYLOAD-TRAILER' at the load balancer or WAF layer. ↗
- →The exploit uses a literal 'Signature=test' (arbitrary/invalid value) in the Authorization header combined with chunked transfer encoding and aws-chunked content encoding — alert on PUT requests with a trivially short or non-HMAC Signature value targeting S3-style endpoints.
- ·The vulnerability only affects users who already have WRITE permissions on the target bucket; prior knowledge of a valid access-key and bucket name is required. The bypass is limited to signature validation — it does not grant access beyond what the access-key's permissions already allow. ↗
- ·The fix is available in MinIO RELEASE.2025-04-03T14-56-28Z. Deployments running older releases remain vulnerable to signature bypass on STREAMING-UNSIGNED-PAYLOAD-TRAILER uploads. ↗
- ·The Snort rule (sid:2061442) is marked confidence Medium and requires TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to be effective on HTTPS-protected MinIO endpoints.
CVSS provenance
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
MinIO performs incomplete signature validation for unsigned-trailer uploads in github.com/minio/minio
osv·2025-04-09
CVE-2025-31489 MinIO performs incomplete signature validation for unsigned-trailer uploads in github.com/minio/minio
MinIO performs incomplete signature validation for unsigned-trailer uploads in github.com/minio/minio
MinIO performs incomplete signature validation for unsigned-trailer uploads in github.com/minio/minio
OSV
MinIO performs incomplete signature validation for unsigned-trailer uploads
osv·2025-04-04
CVE-2025-31489 [HIGH] MinIO performs incomplete signature validation for unsigned-trailer uploads
MinIO performs incomplete signature validation for unsigned-trailer uploads
### Impact
This is a high priority vulnerability and users must upgrade ASAP.
The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRITE permissions on the bucket,
Prior knowledge of access-key, and bucket name this user might have access to - and an access-key with a WRITE permissions is necessary.
However with relevant information in place, uploading random objects to buckets is trivial and easy via `curl`
### Patches
Yes https://github.com/minio/minio/pull/21103
### Workarounds
Reject requests with `x-amz-content-sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER` for now at LB layer, ask a
GHSA
MinIO performs incomplete signature validation for unsigned-trailer uploads
ghsa·2025-04-04
CVE-2025-31489 [HIGH] CWE-347 MinIO performs incomplete signature validation for unsigned-trailer uploads
MinIO performs incomplete signature validation for unsigned-trailer uploads
### Impact
This is a high priority vulnerability and users must upgrade ASAP.
The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRITE permissions on the bucket,
Prior knowledge of access-key, and bucket name this user might have access to - and an access-key with a WRITE permissions is necessary.
However with relevant information in place, uploading random objects to buckets is trivial and easy via `curl`
### Patches
Yes https://github.com/minio/minio/pull/21103
### Workarounds
Reject requests with `x-amz-content-sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER` for now at LB layer, ask a
Red Hat
minio: MinIO performs incomplete signature validation for unsigned-trailer uploads
vendor_redhat·2025-04-03·CVSS 8.7
CVE-2025-31489 [HIGH] CWE-347 minio: MinIO performs incomplete signature validation for unsigned-trailer uploads
minio: MinIO performs incomplete signature validation for unsigned-trailer uploads
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRITE permissions on the bucket. Prior knowledge of access-key, and bucket name this user might have access
to - and an access-key with a WRITE permissions is necessary. However with relevant information in place, uploading random objects to buckets is trivial and easy via curl. This issue is fixed in RELEASE.2025-04-03T14-56-28Z.
A flaw was found in the Minio package. The signature component of the authorization may be invalid, which
Suricata
ET WEB_SERVER MinIO Incomplete Signature Validation for Unsigned-Trailer Uploads (CVE-2025-31489)
suricata·2025-04-10·CVSS 8.7
CVE-2025-31489 [HIGH] ET WEB_SERVER MinIO Incomplete Signature Validation for Unsigned-Trailer Uploads (CVE-2025-31489)
ET WEB_SERVER MinIO Incomplete Signature Validation for Unsigned-Trailer Uploads (CVE-2025-31489)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER MinIO Incomplete Signature Validation for Unsigned-Trailer Uploads (CVE-2025-31489)"; flow:established,to_server; http.method; content:"PUT"; http.header; content:"Signature|3d|"; content:"x-amz-content-sha256|3a 20|STREAMING-UNSIGNED-PAYLOAD-TRAILER"; fast_pattern; reference:url,github.com/minio/minio/security/advisories/GHSA-wg47-6jq2-q2hh; reference:cve,2025-31489; classtype:web-application-activity; sid:2061442; rev:1; metadata:affected_product MinIO, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_10, cve CVE_2025_31489, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signatu
Nuclei
MinIO - Incomplete Signature Validation for Unsigned-Trailer Uploads
nuclei·CVSS 8.7
CVE-2025-31489 [HIGH] MinIO - Incomplete Signature Validation for Unsigned-Trailer Uploads
MinIO - Incomplete Signature Validation for Unsigned-Trailer Uploads
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRITE permissions on the bucket. Prior knowledge of access-key, and bucket name this user might have access
to - and an access-key with a WRITE permissions is necessary. However with relevant information in place, uploading random objects to buckets is trivial and easy via curl.
Template:
id: CVE-2025-31489
info:
name: MinIO - Incomplete Signature Validation for Unsigned-Trailer Uploads
author: iamnoooob,rootxharsh,pdresearch
severity: high
descr
No writeups or analysis indexed.
2025-04-03
Published