MinIO S3 Select Memory Exhaustion Vulnerability

A denial-of-service vulnerability has been identified in MinIO's S3 Select feature, specifically in versions from RELEASE.2018-08-18T03-49-57Z prior to RELEASE.2025-12-20T04-58-37Z. The issue arises when processing CSV files with lines longer than the available memory. The CSV reader's nextSplit() function reads bytes without a size limit, causing the server to crash when a newline is not found. This vulnerability can be exploited by any authenticated user with s3:PutObject and s3:GetObject permissions, and is exacerbated when using gzip compression, allowing a small file to cause significant memory consumption.

Impact

Exploitation of this vulnerability leads to an out-of-memory crash of the MinIO server process.

Reproduction

To reproduce this vulnerability, upload a CSV file that is either uncompressed and sufficiently large without newline characters, or a gzip-compressed CSV of about 2 MB that decompresses to several gigabytes of data without newlines. Ensure that the S3 Select feature is used, as the vulnerability is triggered during the CSV parsing process.

Remediation

Users should upgrade to MinIO AIStor RELEASE.2025-12-20T04-58-37Z or later. Instructions for upgrading from MinIO Community Edition to MinIO AIStor are available on the MinIO documentation site. If an immediate upgrade is not possible, S3 Select access can be disabled via IAM policy or by blocking certain POST requests at a reverse proxy.