GHSA-h7rh-xfpj-hpcm: 
Java vulnerability analysis and mitigation

MinIO Java SDK, a Simple Storage Service (S3) client for Amazon S3 compatible object storage services, was found to have a high-severity vulnerability (CVE-2025-59952) affecting versions prior to 8.6.0. The vulnerability involves automatic substitution of XML tag values containing references to system properties or environment variables during processing, which could potentially expose sensitive information (GitHub Advisory, NVD).

The vulnerability is characterized by improper input validation (CWE-20) and code injection (CWE-94) issues. It received a CVSS v4.0 base score of 8.7 (High), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N. The vulnerability allows XML tag values containing system property or environment variable references to be automatically substituted with their actual values during processing (GitHub Advisory).

The vulnerability presents a significant risk of information disclosure. Malicious actors could craft XML inputs to extract sensitive data including credentials, file paths, and system configuration details from systems using the affected versions of minio-java. This particularly affects applications processing XML from untrusted sources (GitHub Advisory).

The vulnerability has been fixed in minio-java version 8.6.0, where automatic substitution of XML tag values with system properties or environment variables has been disabled. For systems unable to upgrade immediately, temporary mitigation measures include avoiding processing XML data from untrusted sources and implementing input validation to detect and remove system property or environment variable references in XML content (GitHub Advisory, MinIO Release).