CVE-2025-59952
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-30

Last updated on: 2025-10-02

Assigner: GitHub, Inc.

Description
MinIO Java SDK is a Simple Storage Service (aka S3) client to perform bucket and object operations to any Amazon S3 compatible object storage service. In minio-java versions prior to 8.6.0, XML tag values containing references to system properties or environment variables were automatically substituted with their actual values during processing. This unintended behavior could lead to the exposure of sensitive information, including credentials, file paths, or system configuration details, if such references were present in XML content from untrusted sources. This is fixed in version 8.6.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-30
Last Modified
2025-10-02
Generated
2026-06-16
AI Q&A
2025-09-30
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59952
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
minio minio-java *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to the exposure of sensitive system information including credentials, file paths, and configuration details. Attackers can exploit it by sending crafted XML inputs that trigger substitution of system properties or environment variables, potentially compromising application security and confidentiality of sensitive data in object storage operations. [2]

Detection Guidance

Detection involves inspecting XML inputs processed by minio-java versions prior to 8.6.0 for references to system properties or environment variables that could be substituted. Since the vulnerability arises from XML content containing such references, you can search XML files or network traffic for patterns like ${env.VAR} or ${sys.prop}. For example, using command-line tools: 1) To scan XML files locally: grep -rE '\$\{(env|sys)\.[^}]+\}' /path/to/xml/files 2) To monitor network traffic for suspicious XML payloads, use tools like tcpdump or Wireshark to capture traffic on relevant ports and then filter for XML content containing these patterns. Note that no specific detection commands are provided in the resources, so these are general suggestions based on the vulnerability description. [2]

Mitigation Strategies

The primary mitigation is to upgrade the minio-java client to version 8.6.0 or later, where the automatic substitution of XML tag values with system properties or environment variables has been disabled. If upgrading immediately is not possible, interim measures include avoiding processing XML data from untrusted or external sources and implementing input sanitization or validation to detect and remove references to system properties or environment variables in XML content before processing. [2]

Executive Summary

CVE-2025-59952 is a vulnerability in the MinIO Java SDK versions prior to 8.6.0 where XML tag values containing references to system properties or environment variables were automatically substituted with their actual values during XML processing. This unintended behavior could expose sensitive information such as credentials, file paths, or system configuration details if the XML content came from untrusted sources. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59952. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart