Medium severityOSV Advisory· Published Apr 22, 2025· Updated Jun 17, 2026
CVE-2025-32963
CVE-2025-32963
Description
MinIO Operator STS is a native IAM Authentication for Kubernetes. Prior to version 7.1.0, if no audiences are provided for the spec.audiences field, the default will be of the Kubernetes apiserver. Without scoping, it can be replayed to other internal systems, which may unintentionally trust it. This issue has been patched in version 7.1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/minio/operatorGo | < 7.1.0 | 7.1.0 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/minio/operatorpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 7.1.0+ 1 more
- (no CPE)range: < 7.1.0
- (no CPE)range: < 0.0.20250422T181640-1.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-7m6v-q233-q9j9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-32963ghsaADVISORY
- github.com/minio/operator/commit/d586294d526bf0d8e6097225114655f68b0adcc5nvdWEB
- github.com/minio/operator/releases/tag/v7.1.0nvdWEB
- github.com/minio/operator/security/advisories/GHSA-7m6v-q233-q9j9nvdWEB
News mentions
0No linked articles in our index yet.