6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-68671

CVE-2025-68671: lakeFS is Missing Timestamp Validation in S3 Gateway Authentication

lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS's S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. Prior to 1.75.0, an attacker who captures a valid signed request (e.g., through network interception, logs, or compromised systems) can replay that request until credentials are rotated, even after the request is intended to expire. This vulnerability is fixed in 1.75.0.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-68671

CVE-2025-68671:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/treeverse/lakefs	go	< 1.75.0	1.75.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a replay attack vector in lakeFS's S3 gateway due to missing timestamp validation for authenticated requests using AWS Signature Version 4. An attacker who captures a valid signed request can replay it until the credentials are rotated.

The analysis of the patch commit 92966ae611d7f1a2bbe7fd56f9568c975aab2bd8 reveals the root cause and the fix. The core of the vulnerability was in the signature verification logic for S3 requests.

The key vulnerable functions identified are:

sig.V4Verify in pkg/gateway/sig/v4.go: This function is responsible for the final verification of the request's signature. The patch introduces a call to a new verifyExpiration function within V4Verify. Before this change, V4Verify would validate the signature but would not check if the request's timestamp (X-Amz-Date) was within an acceptable time window or if the presigned URL had expired (based on X-Amz-Expires). This omission is what allowed for replay attacks.
sig.ParseV4AuthContext in pkg/gateway/sig/v4.go: This function is responsible for parsing the request and extracting the necessary components for signature verification. The patch adds logic to this function to specifically look for and parse presigned URL parameters, including X-Amz-Expires. Without parsing this expiration information, the V4Verify function would not have the necessary data to perform the expiration check.

The newly added function verificationCtx.verifyExpiration contains the actual logic for checking the timestamp against the current time, accounting for clock skew and the expiration duration specified in presigned URLs.

In a runtime profile during an exploit, sig.ParseV4AuthContext would be called first to process the incoming request, followed by sig.V4Verify which would (in a vulnerable version) incorrectly approve a replayed request. Therefore, both functions are critical runtime indicators of this vulnerability.

Vulnerable functions

sig.V4Verify

pkg/gateway/sig/v4.go

This function is responsible for verifying AWS Signature Version 4. Prior to the patch, it did not validate the request's timestamp, allowing an attacker to replay a captured signed request indefinitely. The patch adds a call to `verifyExpiration` to check if the request has expired.

sig.ParseV4AuthContext

pkg/gateway/sig/v4.go

This function parses the authentication context from an HTTP request. Before the patch, it did not parse the 'X-Amz-Expires' parameter from presigned URLs, which is necessary for checking the request's expiration. The lack of this parsing contributed to the replay attack vulnerability.

verificationCtx.verifyExpiration

pkg/gateway/sig/v4.go

This new function was added to implement the timestamp and expiration validation for presigned URLs. It is called by `V4Verify` and contains the core logic to fix the replay attack vulnerability. It checks for clock skew and if the request has expired.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-68671: lakeFS is Missing Timestamp Validation in S3 Gateway Authentication

CVE-2025-68671:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-68671: lakeFS is Missing Timestamp Validation in S3 Gateway Authentication

6.5

6.5

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI