CVE-2025-64179
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-06

Last updated on: 2025-11-12

Assigner: GitHub, Inc.

Description
lakeFS is an open-source tool that transforms object storage into a Git-like repositories. In versions 1.69.0 and below, missing authentication in the /api/v1/usage-report/summary endpoint allows anyone to retrieve aggregate API usage counts. While no sensitive data is disclosed, the endpoint may reveal information about service activity or uptime. This issue is fixed in version 1.71.0 . To workaround the vulnerability, use a load-balancer or application level firewall in order to block the request route /api/v1/usage-report/summary.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-06
Last Modified
2025-11-12
Generated
2026-05-07
AI Q&A
2025-11-06
EPSS Evaluated
2026-05-05
NVD
CVE-2025-64179
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
treeverse lakefs 1.71.0
treeverse lakefs 1.69.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in lakeFS versions 1.69.0 and below, where the /api/v1/usage-report/summary endpoint lacks authentication. This allows anyone to access and retrieve aggregate API usage counts without authorization. Although no sensitive data is disclosed, the exposed information may reveal details about service activity or uptime. The issue is fixed in version 1.71.0.


How can this vulnerability impact me? :

The vulnerability can impact you by allowing unauthorized users to access aggregate API usage data, which may reveal information about your service's activity or uptime. While it does not expose sensitive data, this information could potentially be used to infer operational patterns or system availability.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect this vulnerability by checking if the /api/v1/usage-report/summary endpoint is accessible without authentication on your lakeFS instance. For example, you can use a command like: curl -i http://<lakefs-host>/api/v1/usage-report/summary and observe if it returns aggregate API usage counts without requiring credentials.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, you should either upgrade lakeFS to version 1.71.0 or later where the issue is fixed, or as a workaround, configure a load-balancer or application-level firewall to block requests to the /api/v1/usage-report/summary endpoint.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart