Skip to content

CVE-2025-47907: MinIO Client (mc) - Go stdlib Postgres Scan Race Condition #185

Description

@NotYuSheng

CVE Information

  • CVE ID: CVE-2025-47907
  • CVSS Score: HIGH severity
  • Severity: HIGH
  • Component: minio/mc:RELEASE.2025-07-21T05-28-08Z (Go stdlib v1.24.5)
  • Source: Trivy security scan

Vulnerability Description

Database/sql Postgres Scan Race Condition vulnerability in Go's standard library affects the compiled MinIO client (mc) binary.

OmniPDF Impact Assessment

Component Usage

  • Used in OmniPDF?: [x] Yes
  • Which services: createbucket service (initialization only)
  • Usage context: One-time bucket creation during Docker Compose startup

Exploitability

  • Can be exploited in our setup?: [ ] Yes [x] No [ ] Unknown
  • Attack prerequisites: PostgreSQL database interaction via Go's database/sql package
  • Data at risk: None - mc client only creates S3 buckets, no PostgreSQL usage

Business Impact

  • Service disruption: [x] None [ ] Low [ ] Medium [ ] High
  • Data confidentiality risk: [x] None [ ] Low [ ] Medium [ ] High
  • Data integrity risk: [x] None [ ] Low [ ] Medium [ ] High

Mitigation Options

Available Fixes

  • Official patch available?: [ ] Yes [x] No
  • Patch version: Waiting for MinIO mc release with Go 1.24.6+
  • Breaking changes?: [ ] Yes [ ] No

Workarounds

  • Accept risk - vulnerable code path not exercised
  • Limited exposure - container runs briefly at startup only
  • Configuration changes
  • Component replacement

Risk Assessment

Overall Risk Level: [x] Low [ ] Medium [ ] High [ ] Critical

Rationale: Even lower risk than MinIO server - mc client runs only during initialization, exits quickly, and doesn't interact with PostgreSQL databases.

Recommended Action

  • Fix Immediately
  • Schedule Fix
  • Accept Risk - Document and monitor
  • Not Applicable

Decision

Action Taken: Accept Risk - Monitor for upstream fix
Owner: Development Team
Target Date: N/A
Next Review: 2025-10-04

Notes

createbucket service runs once at startup to create MinIO buckets, then exits. Minimal attack surface. Monitor for mc releases with Go 1.24.6+.

Metadata

Metadata

Assignees

No one assigned

    Labels

    cvesecurityVulnerabilities, encryption, auth logic

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions