CVE-2025-68671
BaseFortify
Publication date: 2026-01-15
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lakefs | lakefs | to 1.75.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-294 | A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68671 is a vulnerability in lakeFS's S3 gateway where the system does not validate the expiration timestamps on presigned URLs or authenticated requests. This means that an attacker who captures a valid signed request can reuse or replay that request even after it is supposed to have expired, until the credentials are rotated. The issue arises because lakeFS fails to enforce the expiration time on presigned URLs, allowing unauthorized access beyond the intended validity period. This vulnerability affects versions prior to 1.75.0 and has been fixed by adding strict validation of expiration times in the S3 gateway. [1, 3]
How can this vulnerability impact me? :
This vulnerability allows attackers to perform replay attacks by reusing captured valid signed requests or presigned URLs beyond their intended expiration. This can lead to unauthorized access to data stored via lakeFS's S3 gateway, potentially exposing sensitive information or allowing unauthorized operations. The risk remains until credentials are rotated or access keys are deactivated. Mitigations before upgrading include frequent credential rotation and restricting access to trusted networks, but the vulnerability can still lead to confidentiality and integrity impacts. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring for replayed presigned S3 requests that are accepted beyond their expiration time. Since lakeFS prior to version 1.75.0 does not enforce expiration on presigned URLs, you can attempt to generate a presigned URL with a short expiration (e.g., 1 minute) and then try to use it after expiration. If the request still succeeds, the system is vulnerable. There are no specific error codes or logs indicating the vulnerability. Commands to test this could include using the `obstore` Python library with the `S3Store` class to generate presigned URLs with the `expires_in` parameter, then performing HTTP GET requests to the URL after expiration to check if access is still granted. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading lakeFS to version 1.75.0 or later, where the vulnerability is fixed by enforcing presigned URL expiration validation. Until the upgrade, you should frequently rotate access credentials to limit the window for replay attacks, deactivate old keys promptly, and restrict S3 gateway access to trusted networks or IP addresses to reduce exposure. These mitigations reduce risk but do not fully eliminate the vulnerability. [3]