PT-2025-7629 · Lakefs · Lakefs

Arielshaqed

Published

2025-02-21

Updated

2025-03-13

CVE-2025-27100

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions lakeFS versions 1.49.1 and earlier

Description lakeFS is an open-source tool that transforms object storage into a Git-like repository. In affected versions, an authenticated user can crash lakeFS by exhausting server memory, resulting in an authenticated denial-of-service issue. This problem has been solved in version 1.50.0.

Recommendations For versions 1.49.1 and earlier, update to version 1.50.0 or later to resolve the issue. As a temporary workaround for users unable to upgrade, set the environment variable LAKEFS BLOCKSTORE S3 DISABLE PRE SIGNED MULTIPART to true or configure the disable pre signed multipart key to true in the config yaml.

Exploit

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

CVE-2025-27100

GHSA-J7JW-28JM-WHR6

GO-2025-3479

OPENSUSE-SU-2025:14889-1

Affected Products

Lakefs

PT-2025-7629 · Lakefs · Lakefs

CVE-2025-27100

Weakness Enumeration

Related Identifiers

Affected Products

References · 44