2400380 – (CVE-2025-59952) CVE-2025-59952 io.minio/minio: minio-java Client XML Tag is Vulnerable to Value Substitution

Bug 2400380 (CVE-2025-59952) - CVE-2025-59952 io.minio/minio: minio-java Client XML Tag is Vulnerable to Value Substitution

Summary: CVE-2025-59952 io.minio/minio: minio-java Client XML Tag is Vulnerable to Val...

Keywords:
Status:	NEW
Alias:	CVE-2025-59952
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-30 00:01 UTC by OSIDB Bzimport
Modified:	2025-10-02 16:42 UTC (History)
CC List:	31 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-09-30 00:01:37 UTC

MinIO Java SDK is a Simple Storage Service (aka S3) client to perform bucket and object operations to any Amazon S3 compatible object storage service. In minio-java versions prior to 8.6.0, XML tag values containing references to system properties or environment variables were automatically substituted with their actual values during processing. This unintended behavior could lead to the exposure of sensitive information, including credentials, file paths, or system configuration details, if such references were present in XML content from untrusted sources. This is fixed in version 8.6.0.

Note You need to log in before you can comment on or make changes to this bug.

asoldano
bbaranow
bmaxwell
brian.stansberry
darran.lofthouse
dkreling
dosoudil
fjuma
fmariani
fmongiar
gmalinko
istudens
ivassile
iweiss
janstey
jkoehler
jnethert
lphiri
mosmerov
msochure
msvehla
nwallace
pesilva
pjindal
pmackay
rstancel
rstepani
smaestri
tcunning
tom.jenkinson
yfang