CVE-2025-64179 identifies a missing authorization vulnerability in the open-source data versioning tool lakeFS, developed by treeverse. lakeFS enables users to manage object storage with Git-like semantics, widely used in data engineering and analytics workflows. Versions 1.69.0 and earlier expose the /api/v1/usage-report/summary REST API endpoint without requiring authentication or authorization checks. This endpoint returns aggregate API usage counts, which do not include sensitive or personally identifiable information but can reveal operational metadata such as service activity levels and uptime patterns. The vulnerability arises from CWE-862 (Missing Authorization) and CWE-200 (Information Exposure), indicating that the system fails to enforce access control on this resource, leading to unintended information disclosure. The flaw can be exploited remotely by any unauthenticated attacker, as no privileges or user interaction are required. The CVSS 3.1 base score is 5.3 (medium severity), reflecting the low confidentiality impact but ease of access. The vulnerability does not affect data integrity or availability. The issue was publicly disclosed on November 6, 2025, and resolved in lakeFS version 1.71.0. Until upgrading, mitigation can be achieved by blocking access to the vulnerable endpoint using perimeter security controls such as load balancers or application-level firewalls. No active exploitation has been reported to date.

For European organizations, the primary impact of this vulnerability is the unintended disclosure of aggregate API usage data, which could provide adversaries with insights into service activity patterns, operational uptime, or usage volumes. While this information is not sensitive per se, it could be leveraged in reconnaissance phases of targeted attacks, helping threat actors to time attacks or identify periods of low monitoring. Organizations relying on lakeFS for data versioning and object storage management may face increased risk of information leakage about their internal workflows. However, since no sensitive data or credentials are exposed, and there is no impact on data integrity or availability, the direct operational risk is limited. Nonetheless, in highly regulated sectors such as finance, healthcare, or critical infrastructure within Europe, even metadata exposure can contravene strict data governance policies or compliance requirements. Therefore, timely patching or mitigation is recommended to maintain security posture and regulatory compliance.

1. Upgrade lakeFS to version 1.71.0 or later, where the missing authorization issue is fixed. 2. If immediate upgrade is not feasible, implement network-level controls to block or restrict access to the /api/v1/usage-report/summary endpoint. This can be done via load balancers, reverse proxies, or application firewalls configured to deny unauthenticated requests to this path. 3. Employ strict access control policies and authentication mechanisms for all lakeFS API endpoints to prevent unauthorized access. 4. Monitor logs for unusual or repeated access attempts to the usage-report endpoint to detect potential reconnaissance activity. 5. Conduct regular security assessments and penetration testing focused on API endpoints to identify similar authorization weaknesses. 6. Educate development and operations teams about secure API design principles, emphasizing the importance of authorization checks on all endpoints. 7. Review and update incident response plans to include scenarios involving information disclosure through metadata endpoints.