CVE-2025-68671
MEDIUM6.5EPSS 0.02%lakeFS is Missing Timestamp Validation in S3 Gateway Authentication in github.com/treeverse/lakefs
Published: 1/15/2026Modified: 3/3/2026
Description
lakeFS is Missing Timestamp Validation in S3 Gateway Authentication in github.com/treeverse/lakefs
Affected packages (2)
- Go/github.com/treeverse/lakefsfrom 0, < 1.75.0
- Go/github.com/treeverse/lakefsfrom 0, < 1.75.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-68671
- PATCHhttps://github.com/treeverse/lakeFS
- WEBhttps://github.com/treeverse/lakeFS/commit/92966ae611d7f1a2bbe7fd56f9568c975aab2bd8
- WEBhttps://github.com/treeverse/lakeFS/issues/9599
- WEBhttps://github.com/treeverse/lakeFS/pull/9710
- WEBhttps://github.com/treeverse/lakeFS/security/advisories/GHSA-f2ph-gc9m-q55f