cbcvebase.
CVE-2025-31489
published 2025-04-03

CVE-2025-31489: MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. The signature component of the authorization may be invalid…

PriorityP261high8.7CVSS 4.0
AVNACLATNPRNUINVCNVIHVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
2.33%
81.4th percentile
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRITE permissions on the bucket. Prior knowledge of access-key, and bucket name this user might have access to - and an access-key with a WRITE permissions is necessary. However with relevant information in place, uploading random objects to buckets is trivial and easy via curl. This issue is fixed in RELEASE.2025-04-03T14-56-28Z.

Affected

2 ranges
VendorProductVersion rangeFixed in
github.comminio_minio>= 0 < 0.0.0-20250403145552-8c70975283f90.0.0-20250403145552-8c70975283f9
miniominio< RELEASE.2025-04-03T14-56-28ZRELEASE.2025-04-03T14-56-28Z

Detection & IOCsextracted from sources · hover to see the quote

otherx-amz-content-sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER
otherAuthorization: Credential=<access_key_id>/.../.../s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=test
otherX-Amz-Trailer: x-amz-checksum-crc32
otherContent-Encoding: aws-chunked
otherTrailer: x-amz-trailer-signature
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER MinIO Incomplete Signature Validation for Unsigned-Trailer Uploads (CVE-2025-31489)"; flow:established,to_server; http.method; content:"PUT"; http.header; content:"Signature|3d|"; content:"x-amz-content-sha256|3a 20|STREAMING-UNSIGNED-PAYLOAD-TRAILER"; fast_pattern; reference:url,github.com/minio/minio/security/advisories/GHSA-wg47-6jq2-q2hh; reference:cve,2025-31489; classtype:web-application-activity; sid:2061442; rev:1; metadata:affected_product MinIO, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_10, cve CVE_2025_31489, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, updated_at 2025_04_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Detect exploit attempts by matching HTTP PUT requests containing both 'Signature=' and the header value 'x-amz-content-sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER' — the Snort rule uses these as the primary fast_pattern indicators (sid:2061442).
  • The Nuclei template confirms a successful exploit by checking for HTTP 200 response AND the presence of both 'x-amz-id' and 'x-amz-request-id' in response headers — use this as a positive-exploitation matcher.
  • Shodan/FOFA fingerprinting for exposed MinIO instances: search for http.title:"minio console", app="minio-console", or title="minio console" to identify attack surface.
  • As a network-layer mitigation, reject/block inbound requests where the header 'x-amz-content-sha256' is set to 'STREAMING-UNSIGNED-PAYLOAD-TRAILER' at the load balancer or WAF layer.
  • The exploit uses a literal 'Signature=test' (arbitrary/invalid value) in the Authorization header combined with chunked transfer encoding and aws-chunked content encoding — alert on PUT requests with a trivially short or non-HMAC Signature value targeting S3-style endpoints.
  • ·The vulnerability only affects users who already have WRITE permissions on the target bucket; prior knowledge of a valid access-key and bucket name is required. The bypass is limited to signature validation — it does not grant access beyond what the access-key's permissions already allow.
  • ·The fix is available in MinIO RELEASE.2025-04-03T14-56-28Z. Deployments running older releases remain vulnerable to signature bypass on STREAMING-UNSIGNED-PAYLOAD-TRAILER uploads.
  • ·The Snort rule (sid:2061442) is marked confidence Medium and requires TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to be effective on HTTPS-protected MinIO endpoints.

CVSS provenance

nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.