{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/metadata-injection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["minio","s3","metadata-injection","denial-of-service"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA flaw in MinIO\u0026rsquo;s \u003ccode\u003eextractMetadataFromMime()\u003c/code\u003e function allows any authenticated user with \u003ccode\u003es3:PutObject\u003c/code\u003e permission to inject internal server-side encryption (SSE) metadata into objects. This is achieved by sending crafted \u003ccode\u003eX-Minio-Replication-*\u003c/code\u003e headers on a normal PutObject request. The MinIO server incorrectly maps these headers to \u003ccode\u003eX-Minio-Internal-*\u003c/code\u003e encryption metadata without validating if the request is a legitimate replication request. Objects written in this manner contain bogus encryption keys and become permanently unreadable through the S3 API. This vulnerability affects all MinIO releases up to the final release of the \u003ccode\u003eminio/minio\u003c/code\u003e open-source project, specifically versions introduced after commit \u003ccode\u003e468a9fae83e965ecefa1c1fdc2fc57b84ece95b0\u003c/code\u003e (included in \u003ccode\u003eRELEASE.2024-03-30T09-41-56Z\u003c/code\u003e). It was resolved in MinIO AIStor \u003ccode\u003eRELEASE.2026-03-26T21-24-40Z\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the MinIO server with valid credentials having \u003ccode\u003es3:PutObject\u003c/code\u003e permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious PutObject request targeting a specific bucket and object key.\u003c/li\u003e\n\u003cli\u003eThe attacker includes \u003ccode\u003eX-Minio-Replication-Server-Side-Encryption-*\u003c/code\u003e headers in the PutObject request.\u003c/li\u003e\n\u003cli\u003eThe attacker omits the \u003ccode\u003eX-Minio-Source-Replication-Request\u003c/code\u003e header, which would normally indicate a legitimate replication request.\u003c/li\u003e\n\u003cli\u003eThe MinIO server\u0026rsquo;s \u003ccode\u003eextractMetadataFromMime()\u003c/code\u003e function incorrectly maps the crafted \u003ccode\u003eX-Minio-Replication-*\u003c/code\u003e headers to \u003ccode\u003eX-Minio-Internal-Server-Side-Encryption-*\u003c/code\u003e headers.\u003c/li\u003e\n\u003cli\u003eThe server writes the object metadata, including the bogus encryption keys, to the object storage.\u003c/li\u003e\n\u003cli\u003eSubsequent GetObject or HeadObject requests for the modified object will fail because the server treats the object as encrypted with non-existent or incorrect keys.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves a targeted denial-of-service, rendering the object permanently unreadable via the S3 API.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability enables a targeted denial-of-service attack. An attacker can selectively corrupt individual objects or entire buckets within a MinIO deployment. Successful exploitation results in permanent data loss, as affected objects become unreadable through the S3 API. This can disrupt critical services relying on the object storage and potentially impact a large number of users if entire buckets are targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to MinIO AIStor version \u003ccode\u003eRELEASE.2026-03-26T21-24-40Z\u003c/code\u003e or later to patch the vulnerability as documented in the \u003ca href=\"https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition/\"\u003erelease notes\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement a reverse proxy or load balancer rule to drop or reject any request containing \u003ccode\u003eX-Minio-Replication-Server-Side-Encryption-*\u003c/code\u003e headers that does not also include \u003ccode\u003eX-Minio-Source-Replication-Request\u003c/code\u003e, mitigating the injection path as described in the \u003ca href=\"#workarounds\"\u003eWorkarounds\u003c/a\u003e section.\u003c/li\u003e\n\u003cli\u003eReview and restrict IAM policies to limit \u003ccode\u003es3:PutObject\u003c/code\u003e grants to trusted principals only, reducing the attack surface as noted in the \u003ca href=\"#workarounds\"\u003eWorkarounds\u003c/a\u003e section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-27T22:26:05Z","date_published":"2026-03-27T22:26:05Z","id":"/briefs/2024-05-minio-metadata-injection/","summary":"A vulnerability in MinIO allows authenticated users with `s3:PutObject` permission to inject internal server-side encryption metadata into objects via crafted replication headers, leading to permanent data unreadability.","title":"MinIO SSE Metadata Injection via Replication Headers Leads to Data Unreadability","url":"https://feed.craftedsignal.io/briefs/2024-05-minio-metadata-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Metadata-Injection","version":"https://jsonfeed.org/version/1.1"}