logo

Database

Inadequate file size control In github.com/minio/minio

Description

MinIO affected a DoS via Unbounded Memory Allocation in S3 Select CSV Parsing

Impact

What kind of vulnerability is it? Who is impacted?

MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV files containing lines longer than available memory. The CSV reader's nextSplit() function calls bufio.Reader.ReadBytes('\n') with no size limit, buffering the entire input in memory until a newline is found. A CSV file with no newline characters causes the entire contents to be read into a single allocation, leading to an OOM crash of the MinIO server process.

This is exploitable by any authenticated user with s3:PutObject and s3:GetObject permissions. The attack is especially practical when combined with compression: a ~2 MB gzip-compressed CSV can decompress to gigabytes of data without newlines, allowing a small upload to cause large memory consumption on the server. However, compression is not required — a sufficiently large uncompressed CSV with no newlines triggers the same issue.

Affected component: internal/s3select/csv/reader.go, function nextSplit().

CWE: CWE-770 (Allocation of Resources Without Limits or Throttling)

Affected Versions

All MinIO releases are through the final release of the minio/minio open-source project.

The vulnerability was introduced in commit https://github.com/minio/minio/commit/7c14cdb60e53dbfdad2be644dfb180cab19fffa7, which added S3 Select support for CSV. The CSV reader has used unbounded line reads since this commit (originally via Go's stdlib encoding/csv.Reader, later via bufio.Reader.ReadBytes after a refactor in PR #8200.

The first affected release is RELEASE.2018-08-18T03-49-57Z.

Patches

Fixed in: MinIO AIStor RELEASE.2025-12-20T04-58-37Z

The fix replaces the unbounded bufio.Reader.ReadBytes('\n') call with a byte-at-a-time loop that caps line scanning at 128 KB (csvSplitSize). If no newline is found within this limit, the reader returns an error instead of continuing to buffer.

Binary Downloads

Platform
Architecture
Download

FIPS Binaries

Platform
Architecture
Download

Package Downloads

Container Images

# Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z
podman pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z

# FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z.fips

Homebrew (macOS)

brew install minio/aistor/minio

Workarounds

If upgrading is not immediately possible:

    Disable S3 Select access via IAM policy. Deny the s3:GetObject action with a condition restricting s3:prefix on sensitive buckets, or more specifically, deny SelectObjectContent requests at a reverse proxy by blocking POST requests with ?select&select-type=2 query parameters.

    Restrict PutObject permissions. Limit s3:PutObject grants to trusted principals to reduce the attack surface. Note: this reduces risk but does not eliminate the vulnerability since any authorized user can exploit it.

References

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version

Aliases

1. CVE-2026-394142. NVD-2026-394143. OSV-2026-394144. GHSA-h749-fxx7-pwpg5. GCVE-2026-39414

References

1. https://github.com/minio/minio/security/advisories/GHSA-h749-fxx7-pwpg2. https://github.com/minio/minio/pull/82003. https://github.com/minio/minio/commit/7c14cdb60e53dbfdad2be644dfb180cab19fffa74. https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.