Detections
Analytics

CVE-2025-64179

medium

Description

lakeFS is an open-source tool that transforms object storage into a Git-like repositories. In versions 1.69.0 and below, missing authentication in the /api/v1/usage-report/summary endpoint allows anyone to retrieve aggregate API usage counts. While no sensitive data is disclosed, the endpoint may reveal information about service activity or uptime. This issue is fixed in version 1.71.0 . To workaround the vulnerability, use a load-balancer or application level firewall in order to block the request route /api/v1/usage-report/summary.

References

https://github.com/treeverse/lakeFS/security/advisories/GHSA-h238-5mwf-8xw8

https://github.com/treeverse/lakeFS/commit/1c8adab852dac2387fcb00a256402b308a610c60

Details

Source: Mitre, NVD

Published: 2025-11-06

Updated: 2025-11-12

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00042