CVE-2025-64179
📋 TL;DR
This vulnerability in lakeFS allows unauthenticated access to the /api/v1/usage-report/summary endpoint, enabling anyone to retrieve aggregate API usage statistics. While no sensitive data is exposed, this could reveal information about service activity patterns and uptime. Organizations running lakeFS versions 1.69.0 and below with internet-facing deployments are affected.
💻 Affected Systems
- lakeFS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could monitor API usage patterns to infer business activity, identify peak usage times for potential DDoS attacks, or gather reconnaissance data about the lakeFS deployment.
Likely Case
Information disclosure about API usage patterns and service uptime, potentially revealing operational details about the lakeFS deployment.
If Mitigated
Minimal impact with proper network segmentation and access controls limiting exposure to trusted networks only.
🎯 Exploit Status
Exploitation requires only HTTP GET requests to the vulnerable endpoint without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.71.0
Vendor Advisory: https://github.com/treeverse/lakeFS/security/advisories/GHSA-h238-5mwf-8xw8
Restart Required: Yes
Instructions:
1. Backup your lakeFS configuration and data. 2. Stop the lakeFS service. 3. Upgrade to version 1.71.0 or later. 4. Restart the lakeFS service. 5. Verify the fix by testing access to the endpoint.
🔧 Temporary Workarounds
Block endpoint via load balancer
allConfigure load balancer or application firewall to block requests to /api/v1/usage-report/summary endpoint
# Example nginx configuration:
location /api/v1/usage-report/summary {
deny all;
return 403;
}
🧯 If You Can't Patch
- Implement network segmentation to restrict access to lakeFS API endpoints to trusted networks only
- Deploy a web application firewall (WAF) with rules to block unauthenticated access to the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Send HTTP GET request to http://[lakeFS-host]/api/v1/usage-report/summary without authentication. If it returns usage data, the system is vulnerable.Check Version:
lakefs versionVerify Fix Applied:
After patching, attempt the same unauthenticated GET request. It should return 401 Unauthorized or be blocked entirely.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to /api/v1/usage-report/summary endpoint
- Multiple failed authentication attempts followed by successful unauthenticated access
Network Indicators:
- HTTP GET requests to /api/v1/usage-report/summary from untrusted sources
- Unusual traffic patterns to the lakeFS API
SIEM Query:
source="lakefs" AND (uri_path="/api/v1/usage-report/summary" AND http_method="GET")