CVE-2025-62506: MinIO is Vulnerable to Privilege Escalation via Session Policy Bypass in Service Accounts and STS
(updated )
A privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies to bypass their inline policy restrictions when performing “own” account operations, specifically when creating new service accounts for the same user.
References
- github.com/advisories/GHSA-jjjj-jwhf-8rgr
- github.com/minio/minio
- github.com/minio/minio/commit/c1a49490c78e9c3ebcad86ba0662319138ace190
- github.com/minio/minio/discussions/21655
- github.com/minio/minio/issues/21647
- github.com/minio/minio/pull/21642
- github.com/minio/minio/security/advisories/GHSA-jjjj-jwhf-8rgr
- news.ycombinator.com/item?id=45684035
- nvd.nist.gov/vuln/detail/CVE-2025-62506
Code Behaviors & Features
Detect and mitigate CVE-2025-62506 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →