CVE Information
- CVE ID: CVE-2025-47907
- CVSS Score: HIGH severity
- Severity: HIGH
- Component: minio/mc:RELEASE.2025-07-21T05-28-08Z (Go stdlib v1.24.5)
- Source: Trivy security scan
Vulnerability Description
Database/sql Postgres Scan Race Condition vulnerability in Go's standard library affects the compiled MinIO client (mc) binary.
OmniPDF Impact Assessment
Component Usage
- Used in OmniPDF?: [x] Yes
- Which services: createbucket service (initialization only)
- Usage context: One-time bucket creation during Docker Compose startup
Exploitability
- Can be exploited in our setup?: [ ] Yes [x] No [ ] Unknown
- Attack prerequisites: PostgreSQL database interaction via Go's database/sql package
- Data at risk: None - mc client only creates S3 buckets, no PostgreSQL usage
Business Impact
- Service disruption: [x] None [ ] Low [ ] Medium [ ] High
- Data confidentiality risk: [x] None [ ] Low [ ] Medium [ ] High
- Data integrity risk: [x] None [ ] Low [ ] Medium [ ] High
Mitigation Options
Available Fixes
- Official patch available?: [ ] Yes [x] No
- Patch version: Waiting for MinIO mc release with Go 1.24.6+
- Breaking changes?: [ ] Yes [ ] No
Workarounds
Risk Assessment
Overall Risk Level: [x] Low [ ] Medium [ ] High [ ] Critical
Rationale: Even lower risk than MinIO server - mc client runs only during initialization, exits quickly, and doesn't interact with PostgreSQL databases.
Recommended Action
Decision
Action Taken: Accept Risk - Monitor for upstream fix
Owner: Development Team
Target Date: N/A
Next Review: 2025-10-04
Notes
createbucket service runs once at startup to create MinIO buckets, then exits. Minimal attack surface. Monitor for mc releases with Go 1.24.6+.
CVE Information
Vulnerability Description
Database/sql Postgres Scan Race Condition vulnerability in Go's standard library affects the compiled MinIO client (mc) binary.
OmniPDF Impact Assessment
Component Usage
Exploitability
Business Impact
Mitigation Options
Available Fixes
Workarounds
Risk Assessment
Overall Risk Level: [x] Low [ ] Medium [ ] High [ ] Critical
Rationale: Even lower risk than MinIO server - mc client runs only during initialization, exits quickly, and doesn't interact with PostgreSQL databases.
Recommended Action
Decision
Action Taken: Accept Risk - Monitor for upstream fix
Owner: Development Team
Target Date: N/A
Next Review: 2025-10-04
Notes
createbucket service runs once at startup to create MinIO buckets, then exits. Minimal attack surface. Monitor for mc releases with Go 1.24.6+.