minio
Release new MC to close CVEs
Expected behavior
Clean security scans (no CVEs)
Actual behavior
bin/mc (gobinary)
=================
Total: 6 (HIGH: 6, CRITICAL: 0)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2025-47912 │ HIGH │ fixed │ v1.24.6 │ 1.24.8, 1.25.2 │ The Parse function permits values other than IPv6 addresses │
│ │ │ │ │ │ │ to be incl... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-47912 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-58183 │ │ │ │ │ golang: archive/tar: Unbounded allocation when parsing GNU │
│ │ │ │ │ │ │ sparse map │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-58183 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-58186 │ │ │ │ │ Despite HTTP headers having a default limit of 1MB, the │
│ │ │ │ │ │ │ number of... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-58186 │
│ ├────────────────┤ │ │ ├────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-58187 │ │ │ │ 1.24.9, 1.25.3 │ Due to the design of the name constraint checking algorithm, │
│ │ │ │ │ │ │ the proce... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-58187 │
│ ├────────────────┤ │ │ ├────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-58188 │ │ │ │ 1.24.8, 1.25.2 │ Validating certificate chains which contain DSA public keys │
│ │ │ │ │ │ │ can cause ...... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-58188 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-61724 │ │ │ │ │ The Reader.ReadResponse function constructs a response │
│ │ │ │ │ │ │ string through ... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-61724 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────────┘
Steps to reproduce the behavior
Run trivy on mc
mc --version
mc version RELEASE.2025-08-13T08-35-41Z (commit-id=7394ce0dd2a80935aded936b09fa12cbb3cb8096) Runtime: go1.24.6 linux/arm64 Copyright (c) 2015-2025 MinIO, Inc. License GNU AGPLv3 https://www.gnu.org/licenses/agpl-3.0.html
Looking at go.mod I think you're already fixed with go1.24.9 ... you just need a new release. Thanks!
Looking forward to a new release of MC with clean CVEs...Any word on when we can expect a release?
Check out the minio/minio README. They aren't maintaining any of this anymore. I built mc from source in the meantime but we're moving on from minio as I suspect the entire community will do.
Check out the
minio/minioREADME. They aren't maintaining any of this anymore. I built mc from source in the meantime but we're moving on from minio as I suspect the entire community will do.
Hey, I'm wondering if you can share your alternative for mc tools. As for entire minio I have found rustfs and garagehq.
Versitygw looks like have a lot of issues. I think we will go with garage.