CVE-2025-27100

MEDIUM

lakeFS < 1.50.0 - Authenticated Denial of Service via Memory Exhaustion

Title source: llm

Description

lakeFS is an open-source tool that transforms your object storage into a Git-like repository. In affected versions an authenticated user can crash lakeFS by exhausting server memory. This is an authenticated denial-of-service issue. This problem has been patched in version 1.50.0. Users on versions 1.49.1 and below are affected. Users are advised to upgrade. Users unable to upgrade should either set the environment variable `LAKEFS_BLOCKSTORE_S3_DISABLE_PRE_SIGNED_MULTIPART` to `true` or configure the `disable_pre_signed_multipart` key to true in their config yaml.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/treeverse/lakeFS/security/advisories/GHSA-j7jw-28jm-whr6

Patch x_refsource_misc

https://github.com/treeverse/lakeFS/commit/3a625752acdf3f8e137bec20451e71d0f9fa82f2

View Patch ZIP pw:eip

Scores

CVSS v3 6.5

EPSS 0.0040

EPSS Percentile 31.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-400

Status published

Products (2)

treeverse/lakefs 0 - 1.50.0Go

treeverse/lakeFS < 1.50.0

Published Feb 21, 2025

Tracked Since Feb 18, 2026