CVE-2025-68671

Published Jan 15, 2026

Last updated 2 months ago

CVSS medium 6.5

Network

Overview

Description: lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS's S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. Prior to 1.75.0, an attacker who captures a valid signed request (e.g., through network interception, logs, or compromised systems) can replay that request until credentials are rotated, even after the request is intended to expire. This vulnerability is fixed in 1.75.0.
Source: security-advisories@github.com
NVD status: Analyzed
Products: lakefs

Risk scores

CVSS 3.1

Type: Primary
Base score: 4.8
Impact score: 2.5
Exploitability score: 2.2
Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Severity: MEDIUM

Weaknesses

security-advisories@github.com: CWE-294

Hype score: Not currently trending

CVE-2025-68671 lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS's S3 gateway does not validate timestamps in authenticated requests,… https://t.co/07VyHGBHFR
@CVEnew
16 Jan 2026
264 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:lakefs:lakefs:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "1A4347A4-1048-4A23-AE88-001ABB5657BF",
            "versionEndExcluding": "1.75.0",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References