MinIO, Memory Exhaustion (Unbounded Line Read), N/A (Critical)

Listen to this Post

How CVE Works (approx. 20 lines):

The vulnerability resides in MinIO’s S3 Select CSV parsing. The `nextSplit()` function in `internal/s3select/csv/reader.go` calls `bufio.Reader.ReadBytes(‘\n’)` without any size limit. This function reads from the input stream until a newline byte is found, buffering all data in memory. If a CSV file contains no newline characters, the entire file is read into a single memory allocation. An authenticated attacker with `s3:PutObject` and `s3:GetObject` permissions can upload a malicious CSV file lacking newlines. When a victim or the attacker issues a `SelectObjectContent` request on that object, the server loads the whole file into RAM. A small compressed payload (e.g., 2 MB gzip) can decompress to gigabytes of data without newlines, triggering an out‑of‑memory (OOM) crash of the MinIO server process. The attack works even without compression using a sufficiently large uncompressed CSV. The issue was introduced in commit `minio/minio@7c14cdb` (PR 6127) and first appeared in RELEASE.2018-08-18T03-49-57Z. The CSV reader originally used Go’s `encoding/csv.Reader` (also unbounded) and later switched to `bufio.Reader.ReadBytes` after PR 8200. This is a classic resource exhaustion vulnerability (CWE‑770). All MinIO open‑source releases up to the final community release are affected. The fix caps line scanning at 128 KB using a byte‑at‑a‑time loop; if no newline is found within that limit, the reader returns an error instead of buffering indefinitely.

dailycve form:

Platform: MinIO AIStor
Version: All pre‑RELEASE.2025-12-20
Vulnerability: Unbounded CSV line
Severity: Critical
date: 2025-12-20

Prediction: Already patched (2025-12-20)

What Undercode Say:

Simulate the unbounded read issue
dd if=/dev/zero bs=1M count=100 | tr '\0' 'a' > noline.csv
mc cp noline.csv myminio/bucket/
mc select --query "select from s3object" myminio/bucket/noline.csv
Monitor memory usage (Linux)
watch -n1 'ps aux | grep minio | grep -v grep | awk "{print \$6}"'
Check for OOM kills
dmesg | grep -i "oom-killer"

Exploit:

Authenticated user uploads a CSV with no newlines (e.g., 2 GB uncompressed or 2 MB gzip‑compressed that expands to >RAM). Then sends `SelectObjectContent` API request (POST with ?select&select-type=2). The server calls nextSplit(), which tries to read the entire file into memory, causing process crash. Attack can be repeated to create denial of service.

Protection from this CVE:

Upgrade to MinIO AIStor `RELEASE.2025-12-20T04-58-37Z` or later. If upgrade impossible, use IAM policies to deny `s3:GetObject` on sensitive buckets, or specifically block `SelectObjectContent` at reverse proxy (block POST requests with ?select&select-type=2). Also restrict `s3:PutObject` to trusted principals to reduce attack surface (though any authorized user can still exploit).

Impact:

Remote authenticated denial of service (server OOM crash). Allows any user with upload and read permissions on a bucket to crash the entire MinIO process, affecting all buckets and services on that node. Combined with compression, a tiny upload (2 MB) can bring down a server with gigabytes of RAM. No data corruption or leakage, but high availability is destroyed.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top