CVE-2025-64179 | THREATINT

Description

lakeFS is an open-source tool that transforms object storage into a Git-like repositories. In versions 1.69.0 and below, missing authentication in the /api/v1/usage-report/summary endpoint allows anyone to retrieve aggregate API usage counts. While no sensitive data is disclosed, the endpoint may reveal information about service activity or uptime. This issue is fixed in version 1.71.0 . To workaround the vulnerability, use a load-balancer or application level firewall in order to block the request route /api/v1/usage-report/summary.

PUBLISHED Reserved 2025-10-28 | Published 2025-11-06 | Updated 2025-11-07 | Assigner GitHub_M

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-862: Missing Authorization

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Product status

< 1.71.0

affected

References

github.com/...lakeFS/security/advisories/GHSA-h238-5mwf-8xw8

github.com/...ommit/1c8adab852dac2387fcb00a256402b308a610c60

cve.org (CVE-2025-64179)

nvd.nist.gov (CVE-2025-64179)

Download JSON