CVE-2025-62506

CVE-2025-62506

Name

CVE-2025-62506

Description

MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies to bypass their inline policy restrictions when performing operations on their own account, specifically when creating new service accounts for the same user. The vulnerability exists in the IAM policy validation logic where the code incorrectly relied on the DenyOnly argument when validating session policies for restricted accounts. When a session policy is present, the system should validate that the action is allowed by the session policy, not just that it is not denied. An attacker with valid credentials for a restricted service or STS account can create a new service account for itself without policy restrictions, resulting in a new service account with full parent privileges instead of being restricted by the inline policy. This allows the attacker to access buckets and objects beyond their intended restrictions and modify, delete, or create objects outside their authorized scope. The vulnerability is fixed in version RELEASE.2025-10-15T17-29-55Z.

NVD Severity

high

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/minio/minio/commit/c1a49490c78e9c3ebcad86ba0662319138ace190
MISC	https://github.com/minio/minio/pull/21642
CONFIRM	https://github.com/minio/minio/security/advisories/GHSA-jjjj-jwhf-8rgr
af854a3a-2127-422b-91ae-364da2661108	https://github.com/minio/minio/discussions/21655
af854a3a-2127-422b-91ae-364da2661108	https://github.com/minio/minio/issues/21647
af854a3a-2127-422b-91ae-364da2661108	https://news.ycombinator.com/item?id=45684035

Type

URI

MISC

https://github.com/minio/minio/commit/c1a49490c78e9c3ebcad86ba0662319138ace190

MISC

https://github.com/minio/minio/pull/21642

CONFIRM

https://github.com/minio/minio/security/advisories/GHSA-jjjj-jwhf-8rgr

af854a3a-2127-422b-91ae-364da2661108

https://github.com/minio/minio/discussions/21655

af854a3a-2127-422b-91ae-364da2661108

https://github.com/minio/minio/issues/21647

af854a3a-2127-422b-91ae-364da2661108

https://news.ycombinator.com/item?id=45684035

CPE URI	Source package	Min version	Max version
	minio	>= 0	< RELEASE.2025-10-15T17-29-55Z

CPE URI

Source package

Min version

Max version

minio

>= 0

< RELEASE.2025-10-15T17-29-55Z

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
minio	edge-community	0.20251015.172955-r1	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20251015.172955-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20250907.161309-r1	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20250907.161309-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20250906.173846-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20250723.155402-r2	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20250723.155402-r1	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20250723.155402-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20250718.215631-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20250613.113347-r1	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20250613.113347-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20250524.170830-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20250422.221226-r1	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20250422.221226-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20250408.154124-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20250403.145628-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20250312.180418-r1	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20250312.180418-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20250228.095516-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20250218.162555-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20250207.232109-r1	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20250207.232109-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20250203.210304-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20250120.144907-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20250118.003137-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20241218.131544-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20241213.221912-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20241107.005220-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20241029.160148-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20241013.133411-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20241002.175041-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240922.003343-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240913.202602-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240909.165928-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240829.014052-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240826.153307-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240817.012454-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240803.043323-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240731.054626-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240729.221452-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240726.204821-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240716.234641-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240715.190230-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240713.014615-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240710.184149-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240704.142545-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240629.012047-r1	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240629.012047-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240628.090649-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240626.010618-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240622.052645-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240613.225353-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240611.031330-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240606.093642-r1	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240606.093642-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240604.192008-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240528.171904-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240527.191746-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240510.014138-r1	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240510.014138-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240507.064125-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240501.011110-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240428.175350-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240418.190919-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240406.052602-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240330.094156-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240326.221045-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240321.231343-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240315.010719-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240310.025348-r1	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240310.025348-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240307.004348-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240305.044844-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240303.175039-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240226.093348-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240224.171114-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240217.011557-r1	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240217.011557-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240214.213602-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240213.153511-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240212.210227-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240209.212516-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240206.213622-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240204.223613-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240131.202033-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240129.035632-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240118.225128-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240116.160738-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240113.075303-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240111.074616-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240105.221724-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20240101.163633-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20231223.071911-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20231220.010002-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20231214.185157-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20231213.232855-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20231209.181751-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20231207.041600-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20231206.090922-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20231202.105133-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20231120.224007-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20231115.204325-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20231111.081441-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20231106.222608-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20231101.183725-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20231101.015710-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20231025.063325-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20231024.044236-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20231016.041343-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20231014.051722-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20231007.150738-r1	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20231007.150738-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20230930.070229-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20230927.152250-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20230923.034750-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20230920.224955-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20230916.010147-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20230907.020502-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20230904.195737-r1	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20230904.195737-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20230831.153116-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20230829.230735-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20230823.100706-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20230816.201730-r2	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20230809.233022-r2	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	edge-community	0.20230809.233022-r1	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20230721.211244-r1	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20230721.211244-r0	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20230718.174940-r0	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20230711.212934-r1	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20230707.071357-r0	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20230629.051228-r0	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20230623.202600-r0	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20230619.195250-r0	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20230616.024106-r0	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20230324.214123-r2	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20230324.214123-r1	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20230324.214123-r0	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20230217.175243-r0	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20221029.062133-r4	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20221029.062133-r3	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20221029.062133-r2	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20221029.062133-r1	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20221029.062133-r0	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20221024.183507-r4	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20220825.071705-r4	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20220825.071705-r3	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20220825.071705-r2	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20220825.071705-r1	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20220825.071705-r0	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20220717-r6	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20220717-r4	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20220717-r3	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20220630-r3	Drew DeVault <sir@cmpwn.com>	possibly vulnerable
minio	edge-community	0.20200423-r0	None	possibly vulnerable
minio	3.22-community	0.20250524.170830-r4	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	3.22-community	0.20250524.170830-r3	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	3.22-community	0.20250524.170830-r2	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	3.22-community	0.20250524.170830-r1	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	3.22-community	0.20241107.005220-r5	Celeste <cielesti@protonmail.com>	possibly vulnerable
minio	3.22-community	0.20240131.202033-r0	None	possibly vulnerable
minio	3.22-community	0.20200423-r0	None	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages