CVE-2022-31028 is a vulnerability identified in MinIO, a widely used multi-cloud object storage solution. The issue affects MinIO versions starting from RELEASE.2019-09-25T18-25-51Z up to but not including RELEASE.2022-06-02T02-11-04Z. The vulnerability is classified under CWE-400, which relates to uncontrolled resource consumption. Specifically, the flaw allows an attacker to cause an unending buildup of Go routines (lightweight threads in Go programming language) by maintaining open HTTP connections that the server does not properly close. This results in resource exhaustion on the server, potentially leading to denial of service (DoS) conditions. The vulnerability primarily impacts public-facing MinIO deployments where external clients can establish connections. The root cause is the failure of the server to close connections when HTTP clients do not close them, causing the server to keep spawning Go routines indefinitely. Although no known exploits are currently reported in the wild, the vulnerability poses a risk of service disruption. The vendor has addressed this issue in RELEASE.2022-06-02T02-11-04Z, and users are strongly advised to upgrade to this or later versions. As a mitigation, deploying a reverse proxy in front of MinIO to limit and control the number of incoming connections can help reduce the risk by rejecting malicious clients attempting to exhaust resources. This vulnerability does not require authentication or user interaction to be exploited, making it accessible to unauthenticated attackers who can reach the MinIO service endpoint.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on MinIO for critical object storage services in public or hybrid cloud environments. Resource exhaustion caused by unbounded Go routine buildup can lead to degraded performance or complete denial of service, disrupting business operations, data availability, and potentially affecting dependent applications and services. This can impact sectors such as finance, healthcare, government, and cloud service providers that use MinIO for scalable storage solutions. The disruption may also lead to indirect effects such as loss of customer trust, regulatory compliance issues (especially under GDPR if data availability is compromised), and financial losses due to downtime. Since the vulnerability can be exploited remotely without authentication, the attack surface is broad, particularly for internet-facing MinIO instances. Organizations with public-facing storage endpoints are at higher risk, whereas internal deployments behind strict network controls may be less exposed.

1. Immediate upgrade to MinIO RELEASE.2022-06-02T02-11-04Z or later to apply the official patch addressing the uncontrolled resource consumption issue. 2. Deploy a reverse proxy or load balancer (e.g., NGINX, HAProxy) in front of MinIO to limit the number of simultaneous connections per client IP and implement connection timeouts to prevent resource exhaustion from slow or malicious clients. 3. Implement network-level access controls such as firewall rules or VPNs to restrict access to MinIO endpoints only to trusted clients and internal networks where possible. 4. Monitor MinIO server metrics and logs for unusual spikes in Go routine counts, connection attempts, or resource usage to detect potential exploitation attempts early. 5. Conduct regular security assessments and penetration testing focused on resource exhaustion and DoS vectors in the storage infrastructure. 6. Consider rate limiting and anomaly detection mechanisms at the application or network layer to identify and block abusive traffic patterns targeting MinIO services.