CVE-2025-64179

lakeFS: Unauthenticated access to API usage metrics

CVSS 5.3 MEDIUMEPSS 0.3%CWE-200 CWE-862

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 5.3EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

06 nov 2025Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

lakeFS is an open-source tool that transforms object storage into a Git-like repositories. In versions 1.69.0 and below, missing authentication in the /api/v1/usage-report/summary endpoint allows anyone to retrieve aggregate API usage counts. While no sensitive data is disclosed, the endpoint may reveal information about service activity or uptime. This issue is fixed in version 1.71.0 . To workaround the vulnerability, use a load-balancer or application level firewall in order to block the request route /api/v1/usage-report/summary.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Produtos afetados

treeverse · lakeFS

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/treeverse/lakeFS/commit/1c8adab852dac2387fcb00a256402b308a610c60 https://github.com/treeverse/lakeFS/security/advisories/GHSA-h238-5mwf-8xw8