MinIO, Privilege Escalation, CVE-2025-XXXX (Critical)

By /

Listen to this Post

The vulnerability in MinIO’s IAM policy validation allows a restricted service or STS account to bypass its session policy when creating a new service account for itself. The flaw resides in the `isAllowedBySessionPolicyForServiceAccount` function within cmd/iam.go. This function incorrectly used the `DenyOnly` flag for validation. When an account performs an “own” account operation, `DenyOnly` logic checks only if an action is explicitly denied, bypassing standard checks. However, when a session policy is active, the system must enforce that the action is explicitly allowed by that policy. The bug allowed the `CreateServiceAccount` action to proceed based solely on the parent policy if the session policy did not explicitly deny it, ignoring the session policy’s allow restrictions. This enabled the creation of a new, unrestricted service account, effectively escalating privileges beyond the intended session policy constraints.
Platform: MinIO
Version: RELEASE.2025-10-15T17-29-55Z
Vulnerability: Privilege Escalation
Severity: Critical

date: 2025-10-15

Prediction: Patch 2025-10-15

What Undercode Say:

Check current MinIO version
minio version
List service accounts (requires mc admin command)
mc admin user svcacct list myminio/ restricted_user
Audit logs for 'CreateServiceAccount' events
mc admin trace myminio/ | grep CreateServiceAccount

// Vulnerable code snippet from cmd/iam.go (simplified)
// The function incorrectly relied on DenyOnly for session policies.
func isAllowedBySessionPolicyForServiceAccount(...) bool {
// ... Flawed logic using DenyOnly ...
if isDenyOnly {
// This bypassed the session policy 'Allow' check
return !isDenied
}
// Correct validation should always check isAllowed for session policies
return isAllowed && !isDenied
}

How Exploit:

1. Obtain restricted service account credentials.

2. Use credentials to call `CreateServiceAccount` API.

  1. New service account inherits parent user’s full privileges, not the session policy.

Protection from this CVE:

  • Upgrade MinIO immediately.
  • Audit all service accounts.
  • Review and enforce session policies.
  • Monitor API logs for suspicious activity.

Impact:

  • Privilege Escalation to parent level.
  • Unauthorized data access (Confidentiality High).
  • Unauthorized data modification (Integrity High).

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top