Login Sign Up

CVE-2022-31028

7.5 HIGH
Denial of Service

📋 TL;DR

MinIO object storage systems are vulnerable to a denial-of-service attack where HTTP clients can establish connections that never close, causing unending go-routine buildup that consumes system resources. Public-facing MinIO deployments are most affected, potentially leading to service degradation or unavailability. The vulnerability affects MinIO versions from RELEASE.2019-09-25T18-25-51Z through RELEASE.2022-06-02T02-11-04Z.

💻 Affected Systems

Products:
  • MinIO
Versions: RELEASE.2019-09-25T18-25-51Z through RELEASE.2022-06-02T02-11-04Z
Operating Systems: All platforms running MinIO
Default Config Vulnerable: ⚠️ Yes
Notes: Public-facing deployments are most affected, but internal deployments are also vulnerable if attackers gain network access.

📦 What is this software?

Minio by Minio

View all CVEs affecting Minio →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to resource exhaustion, preventing legitimate users from accessing object storage services.

🟠

Likely Case

Progressive performance degradation leading to increased latency and potential service timeouts for legitimate users.

🟢

If Mitigated

Minimal impact with proper connection limiting and monitoring in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only HTTP client access and doesn't require authentication or special privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: RELEASE.2022-06-02T02-11-04Z and later

Vendor Advisory: https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636

Restart Required: Yes

Instructions:

1. Backup MinIO configuration and data. 2. Stop MinIO service. 3. Download and install patched version RELEASE.2022-06-02T02-11-04Z or later. 4. Restart MinIO service. 5. Verify service is running correctly.

🔧 Temporary Workarounds

Reverse Proxy Connection Limiting

all

Deploy a reverse proxy (nginx, haproxy, etc.) in front of MinIO to limit concurrent connections and actively reject connections from malicious clients.

# Example nginx configuration snippet:
# limit_conn_zone $binary_remote_addr zone=minio_limit:10m;
# limit_conn minio_limit 100;

🧯 If You Can't Patch

  • Deploy a reverse proxy with connection rate limiting and monitoring
  • Implement network segmentation and firewall rules to restrict access to MinIO endpoints

🔍 How to Verify

Check if Vulnerable:

Check MinIO version with 'minio version' command and compare against affected range.

Check Version:

minio version

Verify Fix Applied:

Verify version is RELEASE.2022-06-02T02-11-04Z or later and monitor for abnormal go-routine growth.

📡 Detection & Monitoring

Log Indicators:

  • Unusual increase in active connections
  • High memory consumption alerts
  • Go-routine count growing without bound

Network Indicators:

  • Abnormally high number of persistent HTTP connections
  • Connection attempts from single sources exceeding normal patterns

SIEM Query:

source="minio" ("connection" OR "goroutine") AND ("high" OR "increase" OR "exhaust")

📊 Metadata

CVE ID: CVE-2022-31028
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Published: June 7, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31028, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)