{"id":"CVE-2025-64179","summary":"lakeFS: Unauthenticated access to API usage metrics","details":"lakeFS is an open-source tool that transforms object storage into a Git-like repositories. In versions 1.69.0 and below, missing authentication in the /api/v1/usage-report/summary endpoint allows anyone to retrieve aggregate API usage counts. While no sensitive data is disclosed, the endpoint may reveal information about service activity or uptime. This issue is fixed in version 1.71.0 . To workaround the vulnerability, use a load-balancer or application level firewall in order to block the request route /api/v1/usage-report/summary.","aliases":["GHSA-h238-5mwf-8xw8","GO-2025-4090"],"modified":"2026-04-10T05:33:43.797126Z","published":"2025-11-06T21:57:18.234Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64179.json","cwe_ids":["CWE-200","CWE-862"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64179.json"},{"type":"ADVISORY","url":"https://github.com/treeverse/lakeFS/security/advisories/GHSA-h238-5mwf-8xw8"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64179"},{"type":"FIX","url":"https://github.com/treeverse/lakeFS/commit/1c8adab852dac2387fcb00a256402b308a610c60"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/treeverse/lakefs","events":[{"introduced":"0"},{"fixed":"32d3dd82d396edd160cddd131e2e6dcc92693173"}]}],"versions":["0.81.0","0.81.1","1.48.1","ci/binary_without_archive","hadoop-lakefs-0.1.11","hadoop-lakefs-0.1.12","hadoop-lakefs-0.1.14","hadoop-lakefs-0.1.15","hadoop-lakefs-0.1.17","hadoop-lakefs-0.2.0","hadoop-lakefs-0.2.1","hadoop-lakefs-0.2.5","lakefs-rclone-export-0.3.0","lakefs-rclone-export-0.3.1","lakefs-spark-client-0.10.0","lakefs-spark-client-0.11.0","lakefs-spark-client-0.14.0","lakefs-spark-client-0.14.2","lakefs-spark-client-0.2.2","lakefs-spark-client-0.3.0","lakefs-spark-client-0.4.0","lakefs-spark-client-0.5.0","lakefs-spark-client-0.5.1","lakefs-spark-client-0.5.2","lakefs-spark-client-0.6.0","lakefs-spark-client-0.6.2","lakefs-spark-client-0.6.3","lakefs-spark-client-0.6.4","lakefs-spark-client-0.6.5","lakefs-spark-client-0.7.2","lakefs-spark-client-0.7.3","lakefs-spark-client-0.8.0","lakefs-spark-client-0.8.1","lakefs-spark-client-0.9.0","lakefs-spark-client-0.9.1","list","ls","v0.10.0","v0.10.1","v0.10.2","v0.100.0","v0.101.0","v0.101.1","v0.102.0","v0.102.1","v0.102.2","v0.103.0","v0.104.0","v0.105.0","v0.106.0","v0.106.1","v0.106.2","v0.107.0","v0.107.1","v0.108.0","v0.109.0","v0.11.0","v0.11.1","v0.110.0","v0.111.0","v0.111.1","v0.111.2-RC.0","v0.112.0","v0.112.1","v0.113.0","v0.12.0","v0.13.0","v0.14.0","v0.15.0","v0.16.0","v0.16.1","v0.16.2","v0.17.0","v0.18.0","v0.19.0","v0.20.0","v0.20.1","v0.21.0","v0.21.1","v0.21.2","v0.21.3","v0.21.4","v0.22.0","v0.22.1","v0.23.0","v0.23.1","v0.30.0","v0.31.0","v0.31.1","v0.31.2","v0.32.0","v0.32.1","v0.33.0","v0.33.1","v0.40.0","v0.40.1","v0.40.2","v0.40.3","v0.41.0","v0.41.1","v0.42.0","v0.43.0","v0.44.0","v0.44.1","v0.45.0","v0.45.1","v0.46.0","v0.47.0","v0.48.0","v0.48.1","v0.49","v0.49.0","v0.50.0","v0.51.0","v0.52.0","v0.52.1","v0.52.2","v0.53.0","v0.53.1","v0.54.0","v0.55.0","v0.56.0","v0.57.0","v0.57.1","v0.57.2","v0.58.0","v0.58.1","v0.59.0","v0.60.0","v0.60.1","v0.61.0","v0.62.0","v0.63.0","v0.64.0","v0.65.0","v0.66.0","v0.67.0","v0.68.0","v0.69.0","v0.69.1","v0.70.0","v0.70.1","v0.70.2","v0.70.3","v0.70.4","v0.70.5","v0.70.6","v0.8.1","v0.8.2","v0.80.0","v0.80.1","v0.82.0","v0.83.0","v0.83.2","v0.83.3","v0.83.4","v0.84.0","v0.85.0","v0.86.0","v0.87.0","v0.87.1","v0.88.0","v0.89.0","v0.9.0","v0.90.0","v0.90.1","v0.91.0","v0.92.0","v0.93.0","v0.93.0-RC.0","v0.94.0","v0.94.1","v0.95.0","v0.96.0","v0.96.1","v0.97.0","v0.97.1","v0.97.2","v0.97.3","v0.97.4","v0.97.5","v0.98.0","v0.99.0","v0.99.1","v1.0.0","v1.1.0","v1.10.0","v1.11.0","v1.11.1","v1.12.0","v1.12.1","v1.13.0","v1.14.0","v1.14.1","v1.15.0","v1.16.0","v1.17.0","v1.18.0","v1.19.0","v1.2.0","v1.20.0","v1.21.0","v1.22.0","v1.23.0","v1.24.0","v1.25.0","v1.26.0","v1.26.1","v1.27.0","v1.28.0","v1.28.1","v1.28.2","v1.29.0","v1.3.0","v1.3.1","v1.30.0","v1.30.1","v1.31.0","v1.31.1","v1.32.0","v1.32.1","v1.33.0","v1.34.0","v1.35.0","v1.36.0","v1.37.0","v1.38.0","v1.39.0","v1.39.1","v1.39.1-test","v1.39.2","v1.4.0","v1.40.0","v1.41.0","v1.42.0","v1.43.0","v1.44.0","v1.45.0","v1.46.0","v1.47.0","v1.48.0","v1.48.1","v1.48.2","v1.49.0","v1.49.1","v1.5.0","v1.50.0","v1.51.0","v1.52.0","v1.53.0","v1.53.1","v1.54.0","v1.55.0","v1.56.0","v1.56.1","v1.57.0","v1.58.0","v1.59.0","v1.6.0","v1.60.0","v1.61.0","v1.62.0","v1.63.0","v1.64.0","v1.64.1","v1.65.0","v1.65.1","v1.65.2","v1.66.0","v1.67.0","v1.68.0","v1.69.0","v1.7.0","v1.70.0","v1.70.1","v1.8.0","v1.9.0","v1.9.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64179.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}