CVE-2025-32963: 
vulnerability analysis and mitigation

MinIO Operator STS, a native IAM Authentication for Kubernetes, was found to have a security vulnerability prior to version 7.1.0. If no audiences are provided for the spec.audiences field, the default will be of the Kubernetes apiserver. Without proper scoping, the token can be replayed to other internal systems, which may unintentionally trust it (GitHub Advisory, NVD). The vulnerability was discovered on April 22, 2025, and has been patched in version 7.1.0.

The vulnerability stems from improper audience restriction in the TokenReview API call. When validating service account tokens, if no specific audience is set, the system defaults to using the Kubernetes apiserver audience. This implementation could allow tokens to be replayed to other internal systems that may unintentionally trust them. The issue affects MinIO Operator versions v5.0.x and above, where STS was first introduced as v1alpha1, and became more significant in v6.0.x when STS graduated to v1beta1 and was enabled by default (GitHub Advisory).

The vulnerability could potentially lead to token leakage and privilege escalation. If exploited, an attacker could replay service account tokens to other internal systems that trust the Kubernetes apiserver audience, potentially gaining unauthorized access to resources. However, the risk is considered moderate as the Operator does not persist the token and only uses it for single validation purposes (GitHub Advisory).

The issue has been patched in version 7.1.0. The fix ensures that the Operator STS service requests the Service Account JWT to belong to the audience 'sts.min.io' in the TokenReviewRequest. Users should update to version 7.1.0 or later. Additionally, it is recommended to disable auto-mounted service account tokens and request audience-specific tokens with short expiration times (GitHub Advisory, MinIO Release).