Vulnerability Description
lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS's S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. Prior to 1.75.0, an attacker who captures a valid signed request (e.g., through network interception, logs, or compromised systems) can replay that request until credentials are rotated, even after the request is intended to expire. This vulnerability is fixed in 1.75.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lakefs | Lakefs | < 1.75.0 |
Related Weaknesses (CWE)
References
- https://github.com/treeverse/lakeFS/commit/92966ae611d7f1a2bbe7fd56f9568c975aab2Patch
- https://github.com/treeverse/lakeFS/issues/9599Issue TrackingExploit
- https://github.com/treeverse/lakeFS/security/advisories/GHSA-f2ph-gc9m-q55fVendor Advisory
FAQ
What is CVE-2025-68671?
CVE-2025-68671 is a vulnerability with a CVSS score of 6.5 (MEDIUM). lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS's S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. Prior to...
How severe is CVE-2025-68671?
CVE-2025-68671 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-68671?
Check the references section above for vendor advisories and patch information. Affected products include: Lakefs Lakefs.