Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64179

CVE-2025-64179: lakeFS Information Disclosure Vulnerability

CVE-2025-64179 is an information disclosure flaw in lakeFS that exposes API usage data through an unauthenticated endpoint. This article covers the technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-64179 Overview

CVE-2025-64179 is a missing authentication vulnerability in lakeFS, an open-source tool that transforms object storage into Git-like repositories. The flaw exists in the /api/v1/usage-report/summary endpoint in versions 1.69.0 and below. Any unauthenticated network attacker can query this endpoint to retrieve aggregate API usage counts. The issue is fixed in version 1.71.0. The exposed data reveals service activity and uptime information rather than sensitive user content. The vulnerability is tracked under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.

Critical Impact

Unauthenticated remote attackers can retrieve aggregate API usage telemetry from affected lakeFS deployments, exposing information about service activity and uptime.

Affected Products

  • lakeFS versions 1.69.0 and below
  • lakeFS deployments exposing the /api/v1/usage-report/summary endpoint
  • Treeverse lakeFS self-hosted installations without upstream authentication controls

Discovery Timeline

  • 2025-11-06 - CVE-2025-64179 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-64179

Vulnerability Analysis

lakeFS exposes a REST API endpoint at /api/v1/usage-report/summary that returns aggregate usage counters for the installation. In releases up to and including 1.69.0, the handler GetUsageReportSummary in pkg/api/controller.go executes without invoking any authentication check. Any client that can reach the API over the network receives a valid response with usage data.

The returned payload does not contain user credentials, object contents, or repository data. However, it discloses installation-level activity metrics. An attacker can use these metrics to infer service uptime, deployment scale, and general usage patterns. This information supports reconnaissance for follow-on attacks against the lakeFS instance or backing object storage.

The vulnerability requires no privileges, no user interaction, and is exploitable over the network with a single HTTP request. This maps directly to [CWE-200] information exposure.

Root Cause

The GetUsageReportSummary handler was registered as a public route without a call to auth.GetUser(ctx). Other lakeFS API handlers verify caller identity before executing business logic, but this handler skipped that check. The result is unauthenticated access to an endpoint intended for administrative or telemetry contexts.

Attack Vector

An attacker sends an unauthenticated HTTP GET request to /api/v1/usage-report/summary on any reachable lakeFS instance running an affected version. The server responds with JSON containing aggregate API usage counts and installation identifiers. No prior access, credentials, or user interaction is required.

go
// Patch: pkg/api/controller.go
func (c *Controller) GetUsageReportSummary(w http.ResponseWriter, r *http.Request) {
    ctx := r.Context()

+   // verify user is authenticated
+   _, err := auth.GetUser(ctx)
+   if err != nil {
+       writeError(w, r, http.StatusUnauthorized, ErrAuthenticatingRequest)
+       return
+   }
+
+   c.LogAction(ctx, "usage_report_summary", r, "", "", "")
+
    installationID := c.usageReporter.InstallationID()
    if installationID == "" {
        writeError(w, r, http.StatusNotFound, "usage report is not enabled")

Source: treeverse/lakeFS commit 1c8adab. The patch adds an auth.GetUser(ctx) check that returns HTTP 401 for unauthenticated requests and logs the action.

Detection Methods for CVE-2025-64179

Indicators of Compromise

  • HTTP GET requests to /api/v1/usage-report/summary originating from unauthenticated or unexpected source addresses
  • Successful HTTP 200 responses to this endpoint in access logs where no Authorization header was present
  • Unusual request volume against lakeFS API endpoints from a single external source

Detection Strategies

  • Query web server or reverse proxy logs for the exact path /api/v1/usage-report/summary and flag any request lacking authentication headers.
  • Correlate access log entries with the lakeFS installation version to identify exposure on hosts running 1.69.0 or earlier.
  • Alert on 200-status responses to the endpoint when the source IP is outside the expected administrative range.

Monitoring Recommendations

  • Enable and forward lakeFS access logs to a centralized logging platform for retention and search.
  • Monitor for baseline deviations in request rate against the lakeFS API surface, particularly from public network segments.
  • Track deployment inventory to confirm all lakeFS instances are running version 1.71.0 or later.

How to Mitigate CVE-2025-64179

Immediate Actions Required

  • Upgrade all lakeFS instances to version 1.71.0 or later, which enforces authentication on the /api/v1/usage-report/summary endpoint.
  • Audit access logs for prior requests to the endpoint and document any external source addresses that queried it.
  • Restrict network exposure of lakeFS API endpoints so only trusted clients can reach the service.

Patch Information

The fix is committed in treeverse/lakeFS commit 1c8adab852dac2387fcb00a256402b308a610c60 and released in lakeFS 1.71.0. Details are published in GitHub Security Advisory GHSA-h238-5mwf-8xw8.

Workarounds

  • Block requests to the path /api/v1/usage-report/summary at a load balancer or web application firewall in front of lakeFS.
  • Place lakeFS behind an authenticating reverse proxy that requires credentials before forwarding requests to the API.
  • Restrict inbound network access to the lakeFS API using firewall rules or private network segmentation until the upgrade is applied.
bash
# Example nginx rule to block the vulnerable endpoint
location = /api/v1/usage-report/summary {
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.