x/vulndb: potential Go vuln in github.com/minio/minio: GHSA-wg47-6jq2-q2hh

[GoVulnBot]

Advisory GHSA-wg47-6jq2-q2hh references a vulnerability in the following Go modules:

Module
github.com/minio/minio

Description:

Impact

This is a high priority vulnerability and users must upgrade ASAP.

The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRITE permissions on the bucket,

Prior knowledge of access-key, and bucket name this user might have access to - and an access-key with a WRITE permissions is necessary.

However with relevant information in place, uploading random objects to buckets is trivial and easy via curl

Patches

Yes minio/minio#21103
...

References:

• ADVISORY: GHSA-wg47-6jq2-q2hh
• ADVISORY: GHSA-wg47-6jq2-q2hh
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-31489
• FIX: minio/minio@8c70975
• FIX: make sure to validate signature unsigned trailer stream minio/minio#21103

Cross references:

• github.com/minio/minio appears in 17 other report(s):
  • data/excluded/GO-2022-0285.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-43858 #285) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0421.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-24842 #421) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0479.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-31028 #479) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0756.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-35919 #756) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1591.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-25812 #1591) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1634.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-27589 #1634) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1667.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28432 #1667) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1668.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28433 #1668) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1669.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28434 #1669) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2206.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2018-1000538 #2206) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2267.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2020-11012 #2267) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2318.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-21287 #2318) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2322.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-21362 #2322) LEGACY_FALSE_POSITIVE
  • data/reports/GO-2024-2499.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2024-24747 #2499)
  • data/reports/GO-2024-2886.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2024-36107 #2886)
  • data/reports/GO-2024-3336.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: GHSA-cwq8-g58r-32hg #3336)
  • data/reports/GO-2025-3495.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2025-27414 #3495)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/minio/minio
      versions:
        - fixed: 0.0.0-20250403145552-8c70975283f9
summary: MinIO performs incomplete signature validation for unsigned-trailer uploads in github.com/minio/minio
cves:
    - CVE-2025-31489
ghsas:
    - GHSA-wg47-6jq2-q2hh
references:
    - advisory: https://github.com/advisories/GHSA-wg47-6jq2-q2hh
    - advisory: https://github.com/minio/minio/security/advisories/GHSA-wg47-6jq2-q2hh
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-31489
    - fix: https://github.com/minio/minio/commit/8c70975283f9f4ce80f331a25c7475a36279e519
    - fix: https://github.com/minio/minio/pull/21103
notes:
    - fix: 'github.com/minio/minio: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
source:
    id: GHSA-wg47-6jq2-q2hh
    created: 2025-04-04T15:01:30.903363405Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/664195 mentions this issue: data/reports: add 4 reports