CVE-2025-27100
📋 TL;DR
An authenticated denial-of-service vulnerability in lakeFS allows authenticated users to crash the server by exhausting memory. This affects lakeFS versions 1.49.1 and below. The issue has been patched in version 1.50.0.
💻 Affected Systems
- lakeFS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage with lakeFS server crashing due to memory exhaustion, disrupting all Git-like repository operations on object storage.
Likely Case
Service disruption and downtime requiring server restart, impacting development workflows and data operations.
If Mitigated
Minimal impact with proper authentication controls and monitoring in place to detect abnormal memory usage patterns.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.50.0
Vendor Advisory: https://github.com/treeverse/lakeFS/security/advisories/GHSA-j7jw-28jm-whr6
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Upgrade lakeFS to version 1.50.0 or later. 3. Restart the lakeFS service. 4. Verify the service is running correctly.
🔧 Temporary Workarounds
Disable Pre-Signed Multipart
allSet environment variable to disable vulnerable pre-signed multipart functionality
export LAKEFS_BLOCKSTORE_S3_DISABLE_PRE_SIGNED_MULTIPART=true
YAML Configuration Workaround
allSet disable_pre_signed_multipart to true in lakeFS configuration YAML
Add 'disable_pre_signed_multipart: true' to lakeFS config YAML
🧯 If You Can't Patch
- Implement strict authentication controls and monitor for abnormal memory usage patterns
- Apply workarounds to disable pre-signed multipart functionality
🔍 How to Verify
Check if Vulnerable:
Check lakeFS version with 'lakefs version' command and compare against affected versionsCheck Version:
lakefs versionVerify Fix Applied:
Verify version is 1.50.0 or later and test memory exhaustion attempts fail📡 Detection & Monitoring
Log Indicators:
- Abnormal memory usage spikes
- Server crash logs
- Repeated multipart operations
Network Indicators:
- Increased traffic to multipart endpoints
- Authentication logs showing repeated requests
SIEM Query:
source="lakefs" AND (memory_usage>90% OR error="crash" OR multipart_requests>threshold)