8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-62506

GHSA ID

GHSA-jjjj-jwhf-8rgr

EPSS Score

CWE

CWE-863

Published

10/16/2025

Updated

10/16/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62506

CVE-2025-62506: MinIO is Vulnerable to Privilege Escalation via Session Policy Bypass in Service Accounts and STS

Summary

A privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies to bypass their inline policy restrictions when performing "own" account operations, specifically when creating new service accounts for the same user.

Details

The vulnerability exists in the IAM policy validation logic in cmd/iam.go. When validating session policies for restricted accounts performing operations on their own account (such as creating service accounts), the code incorrectly relied on the DenyOnly argument.

The DenyOnly flag is used to allow accounts to perform actions related to their own account by only checking if the action is explicitly denied. However, when a session policy (sub-policy) is present, the system should validate that the action is actually allowed by the session policy, not just that it isn't denied.

Attack Scenario

An administrator creates a service account or STS account with a restricted inline policy (e.g., access only to bucket1 and bucket2)
The restricted account attempts to create a new service account for itself without specifying any policy restrictions
Due to the bypass, the new service account is created with full parent privileges instead of being restricted by the inline policy
The attacker now has escalated privileges beyond the intended restrictions

Impact

Attack Complexity: LOW - Exploitation requires only valid credentials for a restricted service/STS account

Confidentiality: HIGH - Attackers can access buckets and objects beyond their intended restrictions

Integrity: HIGH - Attackers can modify, delete, or create objects outside their authorized scope

Availability: NONE - Does not directly impact service availability

Patches

Fixed in PR https://github.com/minio/minio/pull/21642 Commit: c1a49490c78e9c3ebcad86ba0662319138ace190

Install the release

go install -v github.com/minio/minio@RELEASE.2025-10-15T17-29-55Z

Workarounds

No workarounds available. You can upgrade to the latest version immediately.

Mitigation Steps

Upgrade MinIO: Update to the latest version containing the fix
Audit Service Accounts: Review all service accounts created by non-admin accounts
Revoke Suspicious Accounts: Delete any service accounts that may have been created through exploitation
Review Access Logs: Check for unauthorized access to sensitive buckets

Resources

Fix PR: https://github.com/minio/minio/pull/21642
Affected code: cmd/iam.go (functions: isAllowedBySessionPolicyForServiceAccount, isAllowedBySessionPolicy)

(GitHub Advisory)

8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-62506

GHSA ID

GHSA-jjjj-jwhf-8rgr

EPSS Score

CWE

CWE-863

Published

10/16/2025

Updated

10/16/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/minio/minio	go	< 0.0.0-20251015170045-c1a49490c78e	0.0.0-20251015170045-c1a49490c78e

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allows a service account or an STS account with a restrictive session policy to create a new service account without those restrictions, effectively escalating its privileges. This is caused by a flaw in the IAM policy validation logic within MinIO.

The analysis of the patch c1a49490c78e9c3ebcad86ba0662319138ace190 reveals that the root cause lies in the handling of the DenyOnly flag within the isAllowedBySessionPolicyForServiceAccount and isAllowedBySessionPolicy functions located in cmd/iam.go.

For operations that a user performs on their own account (e.g., creating a service account for themselves), the DenyOnly flag is set to true. This typically means the operation is allowed as long as there isn't an explicit "Deny" rule. However, when a restrictive session policy is in place, the logic should have been to check if the action is explicitly allowed by that session policy. Instead, the vulnerable code continued to honor the DenyOnly=true flag, checking only for denials, which are unlikely to be present in a restrictive allow policy. This effectively bypassed the session policy.

The fix involves explicitly setting DenyOnly = false within these two functions whenever a session policy is being evaluated. This forces the subsequent policy check (subPolicy.IsAllowed) to validate that the action is explicitly permitted by the session policy, closing the privilege escalation vector. Therefore, these two functions are the direct locations of the vulnerability and would be on the execution path when this vulnerability is triggered.

Vulnerable functions

isAllowedBySessionPolicyForServiceAccount

cmd/iam.go

This function was vulnerable because it incorrectly validated session policies for service accounts performing "own" account operations. It respected the `DenyOnly` argument from the caller, which could be `true` for self-service operations. This allowed bypassing the session policy check, as the check would only look for explicit denials, not for explicit allowances. An attacker with a restricted service account could exploit this to create a new, unrestricted service account, thus escalating privileges. The patch fixes this by forcing `DenyOnly` to `false` when a session policy is present, ensuring the action is explicitly allowed by the policy.

isAllowedBySessionPolicy

cmd/iam.go

Similar to `isAllowedBySessionPolicyForServiceAccount`, this function was vulnerable when handling STS (Security Token Service) accounts. It failed to correctly validate session policies for STS accounts during "own" account operations by incorrectly using the `DenyOnly` argument. This allowed an attacker with a restricted STS token to create a service account with privileges beyond the scope of the STS session policy. The patch corrects this by setting `DenyOnly` to `false` when a session policy exists, enforcing a strict check that the action is allowed.

WAF Protection Rules

WAF Rule

### Summ*ry * privil*** *s**l*tion vuln*r**ility *llows s*rvi** ***ounts *n* STS (S**urity Tok*n S*rvi**) ***ounts wit* r*stri*t** s*ssion poli*i*s to *yp*ss t**ir inlin* poli*y r*stri*tions w**n p*r*ormin* "own" ***ount op*r*tions, sp**i*i**lly w**n

Reasoning

T** vuln*r**ility *llows * s*rvi** ***ount or *n STS ***ount wit* * r*stri*tiv* s*ssion poli*y to *r**t* * n*w s*rvi** ***ount wit*out t*os* r*stri*tions, *****tiv*ly *s**l*tin* its privil***s. T*is is **us** *y * *l*w in t** I*M poli*y v*li**tion lo

8.1

Basic Information

Concerned about an active attack path?

CVE-2025-62506: MinIO is Vulnerable to Privilege Escalation via Session Policy Bypass in Service Accounts and STS

Summary

Details

Attack Scenario

Impact

Patches

Workarounds

Mitigation Steps

Resources

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI