5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-64179

GHSA ID

GHSA-h238-5mwf-8xw8

EPSS Score

CWE

CWE-200

Published

11/3/2025

Updated

11/3/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64179

CVE-2025-64179: lakeFS affected by unauthenticated access to API usage metrics

Impact

Missing authentication in the /api/v1/usage-report/summary endpoint allows anyone to retrieve aggregate API usage counts. While no sensitive data is disclosed, the endpoint may reveal information about service activity or uptime.

Patches

Upgrade to >v1.70.1

Workarounds

Any ONE of these is sufficient to block this reporting:

Disable usage reporting by setting configuration option usage_report.enabled or environment variable LAKEFS_USAGE_REPORT_ENABLED to false.
Using load-balancer or application level firewall - blocking the request route /api/v1/usage-report/summary.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-64179

GHSA ID

GHSA-h238-5mwf-8xw8

EPSS Score

CWE

CWE-200

Published

11/3/2025

Updated

11/3/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/treeverse/lakefs	go	< 1.71.0	1.71.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided security advisory and the associated commit 1c8adab852dac2387fcb00a256402b308a610c60 clearly indicates that the vulnerability is a missing authentication check in the /api/v1/usage-report/summary endpoint. The patch directly modifies the GetUsageReportSummary function in pkg/api/controller.go to add the necessary authentication. Before the patch, this function would execute without verifying the user's identity, leading to information disclosure. Therefore, Controller.GetUsageReportSummary is the vulnerable function that would appear in a runtime profile when the vulnerability is exploited.

Vulnerable functions

Controller.GetUsageReportSummary

pkg/api/controller.go

The vulnerability lies in the `GetUsageReportSummary` function, which, prior to the patch, did not perform any authentication checks. This allowed an unauthenticated attacker to access the `/api/v1/usage-report/summary` endpoint and retrieve API usage metrics. The patch adds an authentication check at the beginning of the function to ensure that only authenticated users can access this information.

WAF Protection Rules

WAF Rule

### Imp**t Missin* *ut**nti**tion in t** `/*pi/v*/us***-r*port/summ*ry` *n*point *llows *nyon* to r*tri*v* ***r***t* *PI us*** *ounts. W*il* no s*nsitiv* **t* is *is*los**, t** *n*point m*y r*v**l in*orm*tion **out s*rvi** **tivity or uptim*. ### P

Reasoning

T** *n*lysis o* t** provi*** s**urity **visory *n* t** *sso*i*t** *ommit `****************************************` *l**rly in*i**t*s t**t t** vuln*r**ility is * missin* *ut**nti**tion ****k in t** `/*pi/v*/us***-r*port/summ*ry` *n*point. T** p*t** *

5.3

Basic Information

Concerned about an active attack path?

CVE-2025-64179: lakeFS affected by unauthenticated access to API usage metrics

Impact

Patches

Workarounds

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI