Security

A CVE was reported Privilege Escalation via Session Policy Bypass in Service Accounts and STS and fixed in this release,

All users are advised to download and upgrade their MinIO setup immediately.

To install the latest release

go install -v github.com/minio/minio@latest

OR

go install -v github.com/minio/[email protected]

For container environments, please clone the source and build the latest container.

git clone https://github.com/minio/minio
git checkout RELEASE.2025-10-15T17-29-55Z
TAG=myregistry.com/minio/minio:RELEASE.2025-10-15T17-29-55Z make docker

What's Changed

• fix: remove unnecessary replication checks by @0xMALVEE in #21569
• LDAP TLS handshake fails with StartTLS and tls_skip_verify=off by @mosesdd in #21582
• fix: incorrect poolID when after decommission adding pools by @jiuker in #21590
• fix: after saveRebalanceStats cancel will be empty by @jiuker in #21597
• Use new gofumpt by @klauspost in #21613
• fix: timeN function return final closure not be called by @drivebyer in #21615
• Updating readme for MinIO docs by @ravindk89 in #21625
• Update README with Docker and Helm installation instructions by @ravindk89 in #21627
• Bump Go version in toolchain directive to 1.24.8 by @marktheunissen in #21629
• fix: allow trailing slash in AWS S3 POST policies by @cduzer in #21612
• Change documentation link in README by @ravindk89 in #21636
• fix: check sub-policy properly when present by @donatello in #21642

New Contributors

• @mosesdd made their first contribution in #21582
• @cduzer made their first contribution in #21612

Full Changelog: RELEASE.2025-09-07T16-13-09Z...RELEASE.2025-10-15T17-29-55Z

What's Changed

• Update console to v2.0.3 by @bexsoft in #21474
• bring more idempotent behavior to AbortMultipartUpload() by @jiuker in #21475
• fix: record extral skippedEntry for listObject by @jiuker in #21484
• feat: add variable for datasource in grafana dashboards by @hornjo in #21470
• imagePullSecrets consistent types for global , local by @0xMALVEE in #21500
• Optimize outdated commands in the log by @dormanze in #21498
• fix(helm): do not suspend versioning by default for buckets, only set versioning if specified(21349) by @LOCODAK in #21494
• Check legalHoldPerm by @klauspost in #21508
• fix: errUploadIDNotFound will be ignored when err is from peer client by @jiuker in #21504
• fix: claim based oidc for official aws libraries by @0xMALVEE in #21468
• fix: add name and description to ldap accesskey list by @jiuker in #21511
• Modify permission verification type by @dormanze in #21505
• fix: when claim-based OIDC is configured, treat unknown roleArn as claim-based auth by @ianroberts in #21512
• custom user-agent transport wrapper by @0xMALVEE in #21483
• Update docs links throughout by @djwfyi in #21513
• http/listener: fix bugs and simplify by @denpeshkov in #21514
• fix: use amqp.ParseURL to parse amqp url by @jiuker in #21528
• fix: invalid checksum on site replication with conforming checksum types by @marktheunissen in #21535
• Revert dns.msgUnPath, fixes #21541 by @mannreis in #21542
• Run modernize by @klauspost in #21546
• fix: when save the rebalanceStats not found the config file by @jiuker in #21547
• Updated object-browser to the latest version v2.0.4 by @bexsoft in #21564
• fix: return error on conditional write for non existing object by @0xMALVEE in #21550
• Fix support for legacy compression env variables by @WGH- in #21533
• fix: use correct dummy ARN for claim-based OIDC provider when listing access keys by @ianroberts in #21549
• fix: conditional checks write for multipart by @0xMALVEE in #21567

New Contributors

• @LOCODAK made their first contribution in #21494
• @ianroberts made their first contribution in #21512
• @denpeshkov made their first contribution in #21514

Full Changelog: RELEASE.2025-07-23T15-54-02Z...RELEASE.2025-09-07T16-13-09Z

What's Changed

• Add support for X25519MLKEM768 by @loganaden in #21435
• fix: restrict SinglePool by the minimum free drive threshold by @jiuker in #21115
• wait for metadata reads on minDisks+1 for HEAD/GET when data==parity by @harshavardhana in #21449
• fix boundary value bug when objTime ends in whole seconds (without sub-second) by @supermp in #21419
• simplify validating policy mapping by @0xMALVEE in #21450

New Contributors

• @loganaden made their first contribution in #21435
• @supermp made their first contribution in #21419
• @0xMALVEE made their first contribution in #21450

Full Changelog: RELEASE.2025-07-18T21-56-31Z...RELEASE.2025-07-23T15-54-02Z

What's Changed

• Update Console to latest version by @bexsoft in #21397
• CopyObject must preserve checksums and encrypt them if required by @marktheunissen in #21399
• fix: admin api - SetPolicyForUserOrGroup avoid nil deref by @wooffie in #21400
• fix: lambda handler response to match the lambda return status by @harshavardhana in #21436

Full Changelog: RELEASE.2025-06-13T11-33-47Z...RELEASE.2025-07-18T21-56-31Z

What's Changed

• s3: Fix early listing stopping when ILM is enabled (#472) by @vadmeste in #21246
• Update README.md by @varun28sharma in #21125
• fix: empty fileName cause Reader nil for PostPolicyBucketHandler by @jiuker in #21323
• fix: panic for TestListObjectsWithILM by @jiuker in #21322
• modernizes for loop in cmd/, internal/ by @12ya in #21309
• Add targetArn label for bucket replication metrics by @shtripat in #21354
• allow cross-compiling support for RISC-V 64 by @ffgan in #21348
• [ILM] fix: add region config to s3 client on ilm s3 backend #21364 by @BasixKOR in #21365
• add networkpolicy for job and add possibility to define egress ports by @hornjo in #20951
• fix: when ListMultipartUploads append result from cache should filter with bucket by @jiuker in #21376
• fix: honor renamePart's PathNotFound by @jiuker in #21378

New Contributors

• @varun28sharma made their first contribution in #21125
• @12ya made their first contribution in #21309
• @ffgan made their first contribution in #21348
• @BasixKOR made their first contribution in #21365
• @hornjo made their first contribution in #20951

Full Changelog: RELEASE.2025-05-24T17-08-30Z...RELEASE.2025-06-13T11-33-47Z

Highlights

• Removal of boringcrypto support - since go1.24.x, you can now simply use the GOFIPS environment variable on the same binary.
• Embedded UI Console is now deprecated and moved to object-browser
  • External IDP logins via LDAP/OIDC are removed as well; these are now available as part of the AiStor Product.
  • STS APIs continue to work if someone wishes to build UI in front.
• For all paying customers, we recommend that if you are planning to upgrade, you should upgrade to AiStor.
• Open a SUBNET issue so that we can guide you further on the AiStor migration.
• AiStor binaries are backwards compatible, so you can upgrade your existing open source deployment to AiStor seamlessly.

What's Changed

• Correct spelling by @shtripat in #21225
• update minio/kms-go/kms SDK by @aead in #21233
• Fix nil dereference in adding service account by @taran-p in #21235
• Use go mod tool to install tools for go generate by @klauspost in #21232
• Add documentation for replication_max_lrg_workers by @cniackz in #21236
• fix: after AbortMultipartUpload can do PutObjectPart success that sta… by @jiuker in #21229
• typo: return actual error from RemoveRemoteTargetsForEndpoint by @wooffie in #21238
• feat: support nats nkey seed auth by @matthewdavidlloyd in #21231
• fix: track object and bucket for exipreAll by @jiuker in #21241
• cleanup: use NewWithOptions replace the Deprecated one by @jiuker in #21243
• return error for AppendObject() API by @harshavardhana in #21272
• Update UI console to the latest version by @bexsoft in #21278
• Allow FTPS to force TLS by @klauspost in #21251
• remove support for FIPS 140-2 with boringcrypto by @aead in #21292
• fix: unable to get net.Interface cause panic by @jiuker in #21277
• Update Console UI to latest version by @bexsoft in #21294
• heal: Avoid disabling scanner healing in single and dist erasure mode by @vadmeste in #21302
• fix: Use mime encode for Non-US-ASCII metadata by @jiuker in #21282
• docs: use github-style-notes in the readme by @CommanderStorm in #21308

New Contributors

• @CommanderStorm made their first contribution in #21308

Full Changelog: RELEASE.2025-04-22T22-12-26Z...RELEASE.2025-05-24T17-08-30Z

What's Changed

• move to go1.24 by @harshavardhana in #21114
• Fix buffered streams missing final entries by @klauspost in #21122
• typo: fix error msg for decoding XL headers by @wooffie in #21120
• build(deps): bump golang.org/x/crypto from 0.32.0 to 0.35.0 in /docs/debugging/s3-verify by @dependabot in #21185
• typo: fix return of checkDiskFatalErrs by @wooffie in #21121
• build(deps): bump golang.org/x/crypto from 0.32.0 to 0.35.0 in /docs/debugging/inspect by @dependabot in #21192
• build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 by @dependabot in #21200
• build(deps): bump golang.org/x/net from 0.34.0 to 0.38.0 in /docs/debugging/s3-verify by @dependabot in #21199
• build(deps): bump github.com/nats-io/nats-server/v2 from 2.9.23 to 2.10.27 by @dependabot in #21191
• Fix shared error buffer by @klauspost in #21203
• support autogenerated credentials for KMS_SECRET_KEY properly by @harshavardhana in #21223
• fix: batch expiry job doesn't report delete marker in batch-status me… by @jiuker in #21183
• Nats tls handshake first by @matthewdavidlloyd in #21008

New Contributors

• @matthewdavidlloyd made their first contribution in #21008

Full Changelog: RELEASE.2025-04-08T15-41-24Z...RELEASE.2025-04-22T22-12-26Z

What's Changed

• decom: Ignore orphan delete markers in verification stage by @vadmeste in #21106
• ilm: Expect objects with only free versions when scanning by @krisis in #21112

Full Changelog: RELEASE.2025-04-03T14-56-28Z...RELEASE.2025-04-08T15-41-24Z

Security

Refer to CVE-2025-31489

What's Changed

• fix(templates): replace dash with underscore by @itsJohnySmith in #19566
• build(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 by @dependabot in #21055
• Updating PromQL queries to include tilde needed to work with 'all' variable by @excircle in #21054
• build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 by @dependabot in #21056
• Migrate golanglint-ci config to V2 by @taran-p in #21081
• Add new API endpoint to revoke STS tokens by @taran-p in #21072
• fix call toAPIErrorCode with a nil value error after check another err by @alingse in #21083
• fix: token is invalid for admin heal when minio is distErasure at windows by @jiuker in #21092
• chore(all): replace map key deletion loop with clear() by @1911860538 in #21082
• internal: add handling of KVS config parse by @wooffie in #21079
• Fix anonymous unsigned trailing headers by @klauspost in #21095
• Fix: Change TTFB metric type to histogram by @iamsagar99 in #20999
• Try reconnect IAM systems if failed initially by @shtripat in #20333
• Fix evaluation of NewerNoncurrentVersions by @krisis in #21096
• make sure to validate signature unsigned trailer stream by @harshavardhana in #21103
• Fix description error in README by @justforlxz in #21099

New Contributors

• @itsJohnySmith made their first contribution in #19566
• @excircle made their first contribution in #21054
• @wooffie made their first contribution in #21079
• @iamsagar99 made their first contribution in #20999
• @justforlxz made their first contribution in #21099

Full Changelog: RELEASE.2025-03-12T18-04-18Z...RELEASE.2025-04-03T14-56-28Z

What's Changed

• Enforce a bucket limit of 100 to v2 metrics calls by @klauspost in #20761
• Update typos config by @donatello in #21018
• Update ssh and jws libs for fixed CVEs by @donatello in #21017
• Disable unstable test by @klauspost in #20996
• decom: Ignore not found buckets (#509) by @vadmeste in #21023

Full Changelog: RELEASE.2025-02-28T09-55-16Z...RELEASE.2025-03-12T18-04-18Z