{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/s3select/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["dos","minio","s3select"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMinIO, an open-source object storage server, is susceptible to a denial-of-service (DoS) vulnerability within its S3 Select functionality. This flaw, present since the introduction of S3 Select support in commit 7c14cdb60e53dbfdad2be644dfb180cab19fffa7 (included in releases since RELEASE.2018-08-18T03-49-57Z), stems from unbounded memory allocation when parsing CSV files. Any authenticated user possessing both \u003ccode\u003es3:PutObject\u003c/code\u003e and \u003ccode\u003es3:GetObject\u003c/code\u003e permissions can exploit this vulnerability by uploading a specially crafted CSV file lacking newline characters. A relatively small, gzip-compressed CSV file (around 2MB) can decompress into gigabytes of data, triggering excessive memory consumption and causing the MinIO server process to crash. Defenders should upgrade to MinIO AIStor RELEASE.2025-12-20T04-58-37Z or later.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the MinIO server with valid credentials, having both \u003ccode\u003es3:PutObject\u003c/code\u003e and \u003ccode\u003es3:GetObject\u003c/code\u003e permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious CSV file. This file intentionally lacks newline characters and may be compressed using gzip to maximize its impact.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious CSV file to a MinIO bucket using the \u003ccode\u003es3:PutObject\u003c/code\u003e permission.\u003c/li\u003e\n\u003cli\u003eThe attacker then sends an S3 Select \u003ccode\u003eGetObject\u003c/code\u003e request to the MinIO server, specifying the malicious CSV file as the target. This triggers the vulnerable CSV parsing logic.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enextSplit()\u003c/code\u003e function in \u003ccode\u003einternal/s3select/csv/reader.go\u003c/code\u003e attempts to read the CSV file line by line, using \u003ccode\u003ebufio.Reader.ReadBytes('\\n')\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the absence of newline characters, the function reads the entire file into memory without any size limitation, leading to unbounded memory allocation.\u003c/li\u003e\n\u003cli\u003eThe excessive memory consumption leads to an out-of-memory (OOM) condition on the MinIO server.\u003c/li\u003e\n\u003cli\u003eThe MinIO server process crashes, resulting in a denial of service for all users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial-of-service condition, rendering the MinIO server unavailable. The attacker can repeatedly trigger the vulnerability, causing prolonged disruption to the service. The vulnerability affects all MinIO deployments using versions RELEASE.2018-08-18T03-49-57Z up to RELEASE.2025-12-03T08-12-39Z. The number of affected installations is unknown. Sectors using MinIO for object storage are vulnerable. If successful, this attack could interrupt services reliant on the object storage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to MinIO AIStor version RELEASE.2025-12-20T04-58-37Z or later to remediate the vulnerability as documented in the advisory.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, disable S3 Select access via IAM policies, specifically denying \u003ccode\u003es3:GetObject\u003c/code\u003e actions or \u003ccode\u003eSelectObjectContent\u003c/code\u003e requests as described in the \u0026ldquo;Workarounds\u0026rdquo; section of the advisory.\u003c/li\u003e\n\u003cli\u003eMonitor MinIO server resource consumption, particularly memory usage, to detect potential exploitation attempts. Deploy the provided Sigma rule to detect potential DoS attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T17:32:31Z","date_published":"2026-04-09T17:32:31Z","id":"/briefs/2026-04-minio-dos/","summary":"MinIO's S3 Select feature is vulnerable to denial of service due to unbounded memory allocation when processing CSV files without newlines, leading to memory exhaustion and server crashes.","title":"MinIO S3 Select CSV Parsing Denial of Service","url":"https://feed.craftedsignal.io/briefs/2026-04-minio-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — S3select","version":"https://jsonfeed.org/version/1.1"}