CVE-2025-59952: 
Java vulnerability analysis and mitigation

MinIO Java SDK, a Simple Storage Service (S3) client for performing bucket and object operations with Amazon S3 compatible storage services, was found to contain a security vulnerability (CVE-2025-59952) in versions prior to 8.6.0. The vulnerability was disclosed on September 29, 2025, affecting the XML processing functionality of the library (GitHub Advisory).

The vulnerability exists in the XML processing mechanism where tag values containing references to system properties or environment variables were automatically substituted with their actual values during processing. This behavior was unintended and could expose sensitive system information. The issue has been assigned a CVSS 4.0 Base Score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N (NVD).

The vulnerability could lead to the exposure of sensitive information, including credentials, file paths, and system configuration details when processing XML content from untrusted sources. This poses a significant risk of information disclosure, potentially compromising the security of applications that rely on minio-java for object storage operations (GitHub Advisory).

The vulnerability has been fixed in minio-java version 8.6.0, where automatic substitution of XML tag values with system properties or environment variables has been disabled. Users are strongly advised to upgrade to version 8.6.0 or later. For those unable to upgrade immediately, temporary workarounds include refraining from processing XML data from untrusted sources and implementing input sanitization to detect and remove references to system properties or environment variables in XML content (GitHub Advisory, GitHub Release).