VYPR
Get started
← All advisories
High severityOSV Advisory· Published Sep 30, 2025· Updated Apr 15, 2026

CVE-2025-59952

CVE-2025-59952

Description

MinIO Java SDK is a Simple Storage Service (aka S3) client to perform bucket and object operations to any Amazon S3 compatible object storage service. In minio-java versions prior to 8.6.0, XML tag values containing references to system properties or environment variables were automatically substituted with their actual values during processing. This unintended behavior could lead to the exposure of sensitive information, including credentials, file paths, or system configuration details, if such references were present in XML content from untrusted sources. This is fixed in version 8.6.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.minio:minioMaven
< 8.6.08.6.0

Affected products

1

Patches

2
f6cfc76769fe

Release version 8.6.0

https://github.com/minio/minio-javaMinio TrustedSep 26, 2025via osv
commit
1 file changed · +5 5
  • README.md+5 5 modified
    @@ -12,19 +12,19 @@ Java 1.8 or above.
 <dependency>
     <groupId>io.minio</groupId>
     <artifactId>minio</artifactId>
-    <version>8.5.17</version>
+    <version>8.6.0</version>
 </dependency>
 ```
 
 ## Gradle usage
 ```
 dependencies {
-    implementation("io.minio:minio:8.5.17")
+    implementation("io.minio:minio:8.6.0")
 }
 ```
 
 ## JAR download
-The latest JAR can be downloaded from [here](https://repo1.maven.org/maven2/io/minio/minio/8.5.17/)
+The latest JAR can be downloaded from [here](https://repo1.maven.org/maven2/io/minio/minio/8.6.0/)
 
 ## Quick Start Example - File Uploader
 This example program connects to an object storage server, makes a bucket on the server and then uploads a file to the bucket.
@@ -92,12 +92,12 @@ public class FileUploader {
 
 #### Compile FileUploader
 ```sh
-$ javac -cp minio-8.5.17-all.jar FileUploader.java
+$ javac -cp minio-8.6.0-all.jar FileUploader.java
 ```
 
 #### Run FileUploader
 ```sh
-$ java -cp minio-8.5.17-all.jar:. FileUploader
+$ java -cp minio-8.6.0-all.jar:. FileUploader
 '/home/user/Photos/asiaphotos.zip' is successfully uploaded as object 'asiaphotos-2015.zip' to bucket 'asiatrip'.
 
 $ mc ls play/asiatrip/
f7a98d06b25e

xml: disable property/environment variable substitution (#1667)

https://github.com/minio/minio-javaBala FASep 18, 2025via ghsa
commit
1 file changed · +13 4
  • api/src/main/java/io/minio/Xml.java+13 4 modified
    @@ -24,17 +24,26 @@
 import org.simpleframework.xml.Serializer;
 import org.simpleframework.xml.convert.AnnotationStrategy;
 import org.simpleframework.xml.core.Persister;
+import org.simpleframework.xml.filter.Filter;
 import org.simpleframework.xml.stream.Format;
 
 /** XML marshaller and unmarshaller. */
 public class Xml {
+  private static final Filter noopFilter =
+      new Filter() {
+        @Override
+        public String replace(String name) {
+          return null;
+        }
+      };
+
   /**
    * This marshal method will traverse the provided object checking for field annotations in order
    * to compose the XML data.
    */
   public static String marshal(Object source) throws XmlParserException {
     try {
-      Serializer serializer = new Persister(new AnnotationStrategy(), new Format(0));
+      Serializer serializer = new Persister(new AnnotationStrategy(), noopFilter, new Format(0));
       StringWriter writer = new StringWriter();
       serializer.write(source, writer);
       return writer.toString();
@@ -49,7 +58,7 @@ public static String marshal(Object source) throws XmlParserException {
    */
   public static <T> T unmarshal(Class<? extends T> type, Reader source) throws XmlParserException {
     try {
-      Serializer serializer = new Persister(new AnnotationStrategy());
+      Serializer serializer = new Persister(new AnnotationStrategy(), noopFilter);
       return serializer.read(type, source);
     } catch (Exception e) {
       throw new XmlParserException(e);
@@ -62,7 +71,7 @@ public static <T> T unmarshal(Class<? extends T> type, Reader source) throws Xml
    */
   public static <T> T unmarshal(Class<? extends T> type, String source) throws XmlParserException {
     try {
-      Serializer serializer = new Persister(new AnnotationStrategy());
+      Serializer serializer = new Persister(new AnnotationStrategy(), noopFilter);
       return serializer.read(type, new StringReader(source));
     } catch (Exception e) {
       throw new XmlParserException(e);
@@ -75,7 +84,7 @@ public static <T> T unmarshal(Class<? extends T> type, String source) throws Xml
    */
   public static boolean validate(Class type, String source) throws XmlParserException {
     try {
-      Serializer serializer = new Persister(new AnnotationStrategy());
+      Serializer serializer = new Persister(new AnnotationStrategy(), noopFilter);
       return serializer.validate(type, source);
     } catch (Exception e) {
       throw new XmlParserException(e);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.