MinIO Java SDK XML Variable Expansion Vulnerability (prior 8.6.0)
CVE-2025-59952 Published on September 29, 2025
minio-java Client XML Tag is Vulnerable to Value Substitution
MinIO Java SDK is a Simple Storage Service (aka S3) client to perform bucket and object operations to any Amazon S3 compatible object storage service. In minio-java versions prior to 8.6.0, XML tag values containing references to system properties or environment variables were automatically substituted with their actual values during processing. This unintended behavior could lead to the exposure of sensitive information, including credentials, file paths, or system configuration details, if such references were present in XML content from untrusted sources. This is fixed in version 8.6.0.
Weakness Types
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
What is a Code Injection Vulnerability?
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CVE-2025-59952 has been classified to as a Code Injection vulnerability or weakness.
Products Associated with CVE-2025-59952
Want to know whenever a new CVE is published for Minio? stack.watch will email you.
Affected Versions
minio-java Version < 8.6.0 is affected by CVE-2025-59952Vulnerable Packages
The following package name and versions may be associated with CVE-2025-59952
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | io.minio:minio | < 8.6.0 | 8.6.0 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.