CVE-2025-68671 – LakeFS's S3 gateway fails to validate timestamp... (How to Fix)

Q: What is the severity of CVE-2025-68671?

CVE-2025-68671 has a CVSS score of 6.5 (MEDIUM). LakeFS's S3 gateway fails to validate timestamps in authenticated requests, allowing replay attacks. Attackers who capture valid signed requests can replay them indefinitely until credentials are rotated. This affects all lakeFS deployments using the S3 gateway prior to version 1.75.0.

📋 TL;DR

LakeFS's S3 gateway fails to validate timestamps in authenticated requests, allowing replay attacks. Attackers who capture valid signed requests can replay them indefinitely until credentials are rotated. This affects all lakeFS deployments using the S3 gateway prior to version 1.75.0.

💻 Affected Systems

Products:

lakeFS

Versions: All versions prior to 1.75.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using lakeFS's S3 gateway functionality.

📦 What is this software?

Lakefs by Lakefs

View all CVEs affecting Lakefs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized data access, modification, or deletion in object storage repositories through replayed administrative or data manipulation requests.

🟠

Likely Case

Unauthorized data access or modification by replaying captured S3 API requests, potentially leading to data integrity issues.

🟢

If Mitigated

Limited impact if network monitoring detects unusual request patterns and credentials are rotated frequently.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires capturing valid signed requests through network interception, logs, or compromised systems.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.75.0

Vendor Advisory: https://github.com/treeverse/lakeFS/security/advisories/GHSA-f2ph-gc9m-q55f

Restart Required: Yes

Instructions:

1. Stop lakeFS service. 2. Update to version 1.75.0 or later. 3. Restart lakeFS service. 4. Rotate all S3 credentials used with lakeFS.

🔧 Temporary Workarounds

Credential Rotation

all

Frequently rotate S3 credentials to limit window for replay attacks

Network Segmentation

all

Restrict access to lakeFS S3 gateway to trusted networks only

🧯 If You Can't Patch

Implement strict network monitoring for repeated identical requests
Rotate all S3 credentials used with lakeFS immediately and establish frequent rotation schedule

🔍 How to Verify

Check if Vulnerable:

Check lakeFS version: if version < 1.75.0 and S3 gateway is enabled, system is vulnerable.

Check Version:

lakefs version

Verify Fix Applied:

Verify lakeFS version is 1.75.0 or later and test that timestamp validation is enforced in S3 requests.

📡 Detection & Monitoring

Log Indicators:

Multiple identical S3 API requests with same signature from different sources/times
Requests with expired timestamps being processed

Network Indicators:

Repeated identical HTTP requests to lakeFS S3 endpoint
Unusual request patterns matching previously observed traffic

SIEM Query:

source="lakefs" AND (message="S3 gateway request" OR message="signature") | stats count by src_ip, http_request, signature | where count > threshold

📊 Metadata

CVE ID: CVE-2025-68671

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-294

EPSS Score: 0.04% exploit probability (9.8th percentile)

Published: January 15, 2026

Last Updated: February 25, 2026

🔗 References

https://github.com/treeverse/lakeFS/commit/92966ae611d7f1a2bbe7fd56f9568c975aab2bd8 Patch
https://github.com/treeverse/lakeFS/issues/9599 Issue Tracking,Exploit
https://github.com/treeverse/lakeFS/security/advisories/GHSA-f2ph-gc9m-q55f Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68671, you might also want to check these: