How severe is GHSA-wc79-7x8x-2p58?

No CVSS score has been assigned to GHSA-wc79-7x8x-2p58 yet. Review the advisory details and affected package list to assess your exposure.

Which packages are affected by GHSA-wc79-7x8x-2p58?

GHSA-wc79-7x8x-2p58 affects the following packages: github.com/minio/minio (Go). Ecosystems affected: Go.

How do I fix GHSA-wc79-7x8x-2p58?

Update github.com/minio/minio to 0.0.0-20250227184332-4c71f1b4ec0f or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-wc79-7x8x-2p58 is resolved across your whole dependency graph.

How do I detect GHSA-wc79-7x8x-2p58 in my Go dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/minio/minio. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-wc79-7x8x-2p58 if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-wc79-7x8x-2p58?

O3 pinpoints whether GHSA-wc79-7x8x-2p58 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-wc79-7x8x-2p58 actively exploited in the wild?

No public exploit code has been indexed for GHSA-wc79-7x8x-2p58 yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

What is the EPSS score for GHSA-wc79-7x8x-2p58?

GHSA-wc79-7x8x-2p58 has an EPSS (Exploit Prediction Scoring System) score of 0.5%, placing it in the 39th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

When was GHSA-wc79-7x8x-2p58 published, and has it been updated?

GHSA-wc79-7x8x-2p58 was published on March 3, 2025 and was last updated on March 4, 2025. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

🐹 Go

GHSA-wc79-7x8x-2p58

MinIO allows an SFTP authentication bypass due to improperly trusted SSH key

Also known asBIT-minio-2025-27414CVE-2025-27414GO-2025-3495

Published

Mar 3, 2025

Updated

Mar 4, 2025

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

EPSS Exploitation Probability

via FIRST.org ↗

0.5%probability of exploitation in next 30 days

Lower Risk39th percentile+0.13%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected

🐹github.com/minio/minio

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

Summary

A bug in evaluating the trust of the SSH key used in an SFTP connection to MinIO allows authentication bypass and unauthorized data access.

Details

On a MinIO server with SFTP access configured and using LDAP as an external identity provider, MinIO supports SSH key based authentication for SFTP connections when the user has the sshPublicKey attribute set in their LDAP server. The server trusts the client's key only when the public key is the same as the sshPublicKey attribute.

Due to the bug, when the user has no sshPublicKey property in LDAP, the server ends up trusting the key allowing the client to perform any FTP operations allowed by the MinIO access policies associated with the LDAP user (or any of their groups).

The bug was introduced in https://github.com/minio/minio/commit/91e1487de45720753c9e9e4c02b1bd16b7e452fa.

Impact

The following requirements must be met to exploit this vulnerability:

MinIO server must be configured to allow SFTP access and use LDAP as an external identity provider.
Knowledge of an LDAP username that does not have the sshPublicKey property set.
Such an LDAP username or one of their groups must also have some MinIO access policy configured.

When this bug is successfully exploited, the attacker can perform any FTP operations (i.e. reading, writing, deleting and listing objects) allowed by the access policy associated with the LDAP user account (and their groups).

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
🐹Go	`github.com/minio/minio`	≥ 0.0.0-20240605075113-91e1487de457&&< 0.0.0-20250227184332-4c71f1b4ec0f	0.0.0-20250227184332-4c71f1b4ec0f

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/minio/minio. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/minio/minio to 0.0.0-20250227184332-4c71f1b4ec0f or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-wc79-7x8x-2p58 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-wc79-7x8x-2p58 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-wc79-7x8x-2p58. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary _A bug in evaluating the trust of the SSH key used in an SFTP connection to MinIO allows authentication bypass and unauthorized data access._ ### Details On a MinIO server with SFTP access configured and using LDAP as an external identity provider, MinIO supports SSH key based authentication for SFTP connections when the user has the `sshPublicKey` attribute set in their LDAP server. The server trusts the client's key only when the public key is the same as the `sshPublicKey` attribute. Due to the bug, when the user has no `sshPublicKey` property in LDAP, the server ends up trus

O3 Security · Impact-Aware SCA

Is GHSA-wc79-7x8x-2p58 in your dependencies?

O3 detects GHSA-wc79-7x8x-2p58 across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works