CVE-2025-64179

lakeFS: Unauthenticated access to API usage metrics

CVSS 5.3 MEDIUMEPSS 0.3%CWE-200 CWE-862

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.3EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

06 Nov 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

lakeFS is an open-source tool that transforms object storage into a Git-like repositories. In versions 1.69.0 and below, missing authentication in the /api/v1/usage-report/summary endpoint allows anyone to retrieve aggregate API usage counts. While no sensitive data is disclosed, the endpoint may reveal information about service activity or uptime. This issue is fixed in version 1.71.0 . To workaround the vulnerability, use a load-balancer or application level firewall in order to block the request route /api/v1/usage-report/summary.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected products

treeverse · lakeFS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/treeverse/lakeFS/commit/1c8adab852dac2387fcb00a256402b308a610c60 https://github.com/treeverse/lakeFS/security/advisories/GHSA-h238-5mwf-8xw8