Headline
GHSA-h238-5mwf-8xw8: lakeFS affected by unauthenticated access to API usage metrics
Impact
Missing authentication in the /api/v1/usage-report/summary endpoint allows anyone to retrieve aggregate API usage counts. While no sensitive data is disclosed, the endpoint may reveal information about service activity or uptime.
Patches
Upgrade to >v1.70.1
Workarounds
Any ONE of these is sufficient to block this reporting:
- Disable usage reporting by setting configuration option
usage_report.enabledor environment variableLAKEFS_USAGE_REPORT_ENABLEDtofalse. - Using load-balancer or application level firewall - blocking the request route /api/v1/usage-report/summary.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-64179
lakeFS affected by unauthenticated access to API usage metrics
Moderate severity GitHub Reviewed Published Nov 2, 2025 in treeverse/lakeFS • Updated Nov 3, 2025
Package
gomod github.com/treeverse/lakefs (Go)
Affected versions
< 1.71.0
Impact
Missing authentication in the /api/v1/usage-report/summary endpoint allows anyone to retrieve aggregate API usage counts. While no sensitive data is disclosed, the endpoint may reveal information about service activity or uptime.
Patches
Upgrade to >v1.70.1
Workarounds
Any ONE of these is sufficient to block this reporting:
- Disable usage reporting by setting configuration option usage_report.enabled or environment variable LAKEFS_USAGE_REPORT_ENABLED to false.
- Using load-balancer or application level firewall - blocking the request route /api/v1/usage-report/summary.
References
- GHSA-h238-5mwf-8xw8
- treeverse/lakeFS@1c8adab
Published to the GitHub Advisory Database
Nov 3, 2025