x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2025-27414

[GoVulnBot]

Advisory CVE-2025-27414 references a vulnerability in the following Go modules:

Module
github.com/minio/minio

Description:
MinIO is a high performance object storage. Starting in RELEASE.2024-06-06T09-36-42Z and prior to
RELEASE.2025-02-28T09-55-16Z, a bug in evaluating the trust of the SSH key used in an SFTP connection to MinIO allows authentication bypass and unauthorized data access. On a MinIO server with SFTP access configured and using LDAP as an external identity provider, MinIO supports SSH key based authentication for SFTP connections when the user has the sshPublicKey attribute set in their LDAP server. The server trusts the client's key only when the public key is the same as the sshPublicKey attr...

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-27414
• FIX: minio/minio@4c71f1b
• FIX: minio/minio@91e1487
• WEB: GHSA-wc79-7x8x-2p58

Cross references:

• github.com/minio/minio appears in 16 other report(s):
  • data/excluded/GO-2022-0285.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-43858 #285) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0421.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-24842 #421) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0479.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-31028 #479) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0756.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-35919 #756) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1591.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-25812 #1591) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1634.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-27589 #1634) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1667.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28432 #1667) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1668.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28433 #1668) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1669.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28434 #1669) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2206.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2018-1000538 #2206) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2267.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2020-11012 #2267) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2318.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-21287 #2318) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2322.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-21362 #2322) LEGACY_FALSE_POSITIVE
  • data/reports/GO-2024-2499.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2024-24747 #2499)
  • data/reports/GO-2024-2886.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2024-36107 #2886)
  • data/reports/GO-2024-3336.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: GHSA-cwq8-g58r-32hg #3336)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/minio/minio
      vulnerable_at: 0.0.0-20250228193308-11507d46da0c
summary: CVE-2025-27414 in github.com/minio/minio
cves:
    - CVE-2025-27414
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-27414
    - fix: https://github.com/minio/minio/commit/4c71f1b4ec0fb2a473ddaac18c20ec9e63f267ec
    - fix: https://github.com/minio/minio/commit/91e1487de45720753c9e9e4c02b1bd16b7e452fa
    - web: https://github.com/minio/minio/security/advisories/GHSA-wc79-7x8x-2p58
source:
    id: CVE-2025-27414
    created: 2025-02-28T23:01:25.061714971Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/654257 mentions this issue: data/reports: add 23 reports