CVE-2025-64179: 
vulnerability analysis and mitigation

CVE-2025-64179 affects lakeFS, exposing an authentication bypass vulnerability in the /api/v1/usage-report/summary endpoint. The vulnerability was discovered and disclosed on November 2, 2025, affecting versions prior to 1.71.0. This security flaw allows unauthenticated users to access API usage metrics, potentially revealing information about service activity and uptime (GitHub Advisory, Miggo).

The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium severity) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The issue stems from a missing authentication check in the GetUsageReportSummary function within pkg/api/controller.go. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-862 (Missing Authorization) (GitHub Advisory).

While no sensitive data is directly disclosed, the vulnerability allows unauthorized access to aggregate API usage counts, which could reveal information about service activity and uptime. This information exposure could potentially be used by attackers to gain insights into system usage patterns and operational status (GitHub Advisory, Miggo).

Users are advised to upgrade to lakeFS version 1.71.0 or later which includes the security fix. Alternative workarounds include: 1) Disabling usage reporting by setting the configuration option usagereport.enabled or environment variable LAKEFSUSAGEREPORTENABLED to false, or 2) Using a load-balancer or application level firewall to block requests to the /api/v1/usage-report/summary endpoint (GitHub Advisory).