CVE-2025-68671 Overview
lakeFS is an open-source tool that transforms object storage into Git-like repositories. A significant authentication bypass vulnerability has been identified in lakeFS's S3 gateway component. The gateway fails to validate timestamps in authenticated requests, enabling replay attacks against the system. Prior to version 1.75.0, an attacker who captures a valid signed request through network interception, logs, or compromised systems can replay that request indefinitely until credentials are rotated, even after the original request was intended to expire.
Critical Impact
Attackers can replay captured authenticated requests to gain unauthorized access to lakeFS repositories, potentially leading to data exfiltration, unauthorized modifications, or persistent access to sensitive object storage data.
Affected Products
- lakeFS versions prior to 1.75.0
- lakeFS S3 Gateway component
- Systems using lakeFS with S3-compatible authentication
Discovery Timeline
- 2026-01-15 - CVE CVE-2025-68671 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2025-68671
Vulnerability Analysis
This vulnerability is classified under CWE-294 (Authentication Bypass by Capture-Replay), which represents a fundamental weakness in the authentication implementation of lakeFS's S3 gateway. The core issue stems from the gateway's failure to validate temporal components in signed requests, effectively neutralizing the time-limited nature of authenticated S3 requests.
In properly implemented S3 authentication schemes, each request includes a timestamp and signature that together ensure the request is valid only within a specific time window. The lakeFS S3 gateway accepts these signed requests but does not verify that the timestamp falls within an acceptable range, allowing attackers to reuse captured requests long after they should have expired.
The attack surface is particularly concerning because valid signed requests may be exposed through various channels including network traffic interception, access logs, debugging output, or compromised proxy systems. Once an attacker obtains a valid signed request, they can replay it repeatedly until the underlying credentials are manually rotated.
Root Cause
The root cause of this vulnerability lies in the incomplete implementation of the S3 authentication signature validation process within the lakeFS S3 gateway. While the gateway correctly validates the cryptographic signature of incoming requests, it neglects to enforce the temporal validity constraints that are fundamental to preventing replay attacks. This missing validation check allows signed requests to remain valid indefinitely, contrary to the security model expected by users of S3-compatible APIs.
Attack Vector
The attack leverages network-level access to capture legitimate authenticated requests. An attacker positioned to intercept traffic between clients and the lakeFS S3 gateway can capture signed requests and store them for later use. The attack follows this sequence:
- Interception: Attacker captures a valid signed S3 request through network sniffing, log access, or man-in-the-middle positioning
- Storage: The captured request, complete with authentication headers, is stored for future use
- Replay: At any later time, the attacker replays the exact captured request to the lakeFS S3 gateway
- Authentication Bypass: The gateway validates the signature but not the timestamp, granting access
- Persistent Access: The attacker can continue replaying requests until credentials are manually rotated
The vulnerability does not require authentication of its own, as it exploits already-authenticated requests. The attack can be executed remotely across the network against any exposed lakeFS S3 gateway endpoint.
Detection Methods for CVE-2025-68671
Indicators of Compromise
- Duplicate authenticated requests with identical signatures appearing in access logs at different times
- Requests with timestamps significantly older than the current time being successfully processed
- Unusual patterns of repeated API calls with the same authentication headers from different source IPs
- Successful authentications for requests containing expired or stale timestamp values
Detection Strategies
- Implement log analysis rules to identify requests with identical signature components occurring over extended time periods
- Deploy network monitoring to detect replayed HTTP requests with matching authentication headers
- Configure alerting for successful S3 gateway authentications where the request timestamp differs significantly from the server time
- Audit access patterns for anomalous repeated operations that match previously recorded legitimate requests
Monitoring Recommendations
- Enable detailed request logging on the lakeFS S3 gateway including full authentication headers and timestamps
- Monitor for sudden increases in API activity patterns that may indicate automated replay attacks
- Track credential usage patterns to identify if specific access keys are being used in unexpected ways or from unusual locations
- Implement real-time analysis of request timestamps versus server time to flag potential replay attempts
How to Mitigate CVE-2025-68671
Immediate Actions Required
- Upgrade lakeFS to version 1.75.0 or later immediately to address the timestamp validation issue
- Rotate all existing credentials and access keys that may have been exposed in network traffic or logs
- Review access logs for any signs of replay attacks during the period the vulnerable version was in use
- Implement network-level encryption (TLS/HTTPS) if not already in place to reduce the risk of request interception
Patch Information
The vulnerability has been addressed in lakeFS version 1.75.0. The fix introduces proper timestamp validation for all authenticated S3 gateway requests, ensuring that requests outside of an acceptable time window are rejected. The patch can be reviewed at the GitHub commit. Additional details are available in the GitHub Security Advisory and the related issue discussion.
Workarounds
- Implement network segmentation to limit access to the lakeFS S3 gateway to trusted network segments only
- Deploy a reverse proxy or API gateway in front of lakeFS that performs request timestamp validation
- Reduce credential lifetime and implement more frequent credential rotation schedules to limit the replay window
- Enable and monitor detailed access logging to detect potential replay attacks while awaiting the patch deployment
# Configuration example
# Upgrade lakeFS to patched version
# For Docker deployments:
docker pull treeverse/lakefs:1.75.0
docker stop lakefs-container
docker run -d --name lakefs-container treeverse/lakefs:1.75.0
# For Helm deployments:
helm repo update
helm upgrade lakefs lakefs/lakefs --set image.tag=1.75.0
# Rotate credentials after upgrade
lakectl auth users credentials create --id <user-id>
lakectl auth users credentials delete --id <user-id> --access-key-id <old-access-key>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
