MinIO, Incomplete Signature Validation, CVE-2025-XXXXX (High)

By /

How the CVE Works:

MinIO fails to properly validate signatures for S3 API requests using STREAMING-UNSIGNED-PAYLOAD-TRAILER. Attackers with prior knowledge of a valid access key and bucket WRITE permissions can exploit this flaw to upload arbitrary objects without proper authorization. The vulnerability arises when MinIO skips full signature verification for streaming uploads with unsigned trailers, allowing malicious clients to bypass authentication checks.

DailyCVE Form:

Platform: MinIO
Version: < 0.0.0-20250403145552
Vulnerability: Incomplete signature validation
Severity: High
Date: 2025-04-04

What Undercode Say:

Exploitation:

  1. Craft a malicious `PUT` request with x-amz-content-sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER.
  2. Use a known access key and bucket name with WRITE permissions.

3. Bypass signature validation to upload unauthorized data.

Example Exploit Command:

curl -X PUT "http://minio-server/bucket/malicious-object" \
-H "Authorization: AWS4-HMAC-SHA256 Credential=ACCESS_KEY/..." \
-H "x-amz-content-sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER" \
--data-binary @payload.txt

Mitigation:

1. Patch: Upgrade to MinIO version `0.0.0-20250403145552-8c70975283f9`.

  1. Workaround: Reject requests with `STREAMING-UNSIGNED-PAYLOAD-TRAILER` at load balancer/proxy level.

3. Enforce Strict Signing: Require `STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER`.

Detection Script (Check Vulnerable Versions):

minio version | grep -q "0.0.0-20250403145552-8c70975283f9" || echo "Vulnerable"

Proxy Block Rule (NGINX):

if ($http_x_amz_content_sha256 ~ "STREAMING-UNSIGNED-PAYLOAD-TRAILER") {
return 403;
}

AWS IAM Policy (Prevent Unsigned Uploads):

{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket/",
"Condition": {
"StringEquals": {
"s3:signatureversion": "AWS4-HMAC-SHA256"
}
}
}]
}

Log Monitoring (Detect Exploits):

grep "STREAMING-UNSIGNED-PAYLOAD-TRAILER" /var/log/minio.log

References:

References:

Reported By: https://github.com/advisories/GHSA-wg47-6jq2-q2hh
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top