CVE-2025-64179
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-64179, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-11-06

Last updated on: 2025-11-12

Assigner: GitHub, Inc.

Description

lakeFS is an open-source tool that transforms object storage into a Git-like repositories. In versions 1.69.0 and below, missing authentication in the /api/v1/usage-report/summary endpoint allows anyone to retrieve aggregate API usage counts. While no sensitive data is disclosed, the endpoint may reveal information about service activity or uptime. This issue is fixed in version 1.71.0 . To workaround the vulnerability, use a load-balancer or application level firewall in order to block the request route /api/v1/usage-report/summary.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-11-06
Last Modified
2025-11-12
Generated
2026-07-06
AI Q&A
2025-11-06
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
treeverse lakefs 1.71.0
treeverse lakefs 1.69.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in lakeFS versions 1.69.0 and below, where the /api/v1/usage-report/summary endpoint lacks authentication. This allows anyone to access and retrieve aggregate API usage counts without authorization. Although no sensitive data is disclosed, the exposed information may reveal details about service activity or uptime. The issue is fixed in version 1.71.0.

Impact Analysis

The vulnerability can impact you by allowing unauthorized users to access aggregate API usage data, which may reveal information about your service's activity or uptime. While it does not expose sensitive data, this information could potentially be used to infer operational patterns or system availability.

Detection Guidance

You can detect this vulnerability by checking if the /api/v1/usage-report/summary endpoint is accessible without authentication on your lakeFS instance. For example, you can use a command like: curl -i http://<lakefs-host>/api/v1/usage-report/summary and observe if it returns aggregate API usage counts without requiring credentials.

Mitigation Strategies

To mitigate this vulnerability immediately, you should either upgrade lakeFS to version 1.71.0 or later where the issue is fixed, or as a workaround, configure a load-balancer or application-level firewall to block requests to the /api/v1/usage-report/summary endpoint.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64179. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart