Home > Vulnerability Database > CVE-2025-68671

Mend.io Vulnerability Database

CVE-2025-68671

Good to know:

Date: January 15, 2026

lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS's S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. Prior to 1.75.0, an attacker who captures a valid signed request (e.g., through network interception, logs, or compromised systems) can replay that request until credentials are rotated, even after the request is intended to expire. This vulnerability is fixed in 1.75.0.

Severity Score

6.5

Related Resources (7)

Url: https://github.com/treeverse/lakeFS/issues/9599

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-68671

Url: https://github.com/treeverse/lakeFS

Url: https://github.com/treeverse/lakeFS/pull/9710

Url: https://github.com/treeverse/lakeFS/security/advisories/GHSA-f2ph-gc9m-q55f

Url: https://github.com/treeverse/lakeFS/commit/92966ae611d7f1a2bbe7fd56f9568c975aab2bd8

Url: https://www.mend.io/vulnerability-database/CVE-2025-68671

Severity Score

6.5

Weakness Type (CWE)

Authentication Bypass by Capture-replay

CWE-294

Top Fix

Upgrade Version

Upgrade to version github.com/treeverse/lakefs - v1.75.0;https://github.com/treeverse/lakeFS.git - v1.74.0

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-68671

Good to know:

Date: January 15, 2026

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?