CVE-2025-64179

MEDIUM

Treeverse Lakefs < 1.71.0 - Information Disclosure

Title source: rule

Description

lakeFS is an open-source tool that transforms object storage into a Git-like repositories. In versions 1.69.0 and below, missing authentication in the /api/v1/usage-report/summary endpoint allows anyone to retrieve aggregate API usage counts. While no sensitive data is disclosed, the endpoint may reveal information about service activity or uptime. This issue is fixed in version 1.71.0 . To workaround the vulnerability, use a load-balancer or application level firewall in order to block the request route /api/v1/usage-report/summary.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/treeverse/lakeFS/security/advisories/GHSA-h238-5mwf-8xw8

Patch x_refsource_misc

https://github.com/treeverse/lakeFS/commit/1c8adab852dac2387fcb00a256402b308a610c60

View Patch ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0005

EPSS Percentile 14.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-200 CWE-862

Status published

Products (2)

treeverse/lakefs 0 - 1.71.0Go

treeverse/lakeFS < 1.71.0

Published Nov 06, 2025

Tracked Since Feb 18, 2026