CVE-2025-64179 is a vulnerability identified in the open-source project lakeFS, maintained by treeverse, which provides Git-like version control capabilities for object storage systems. The issue exists in versions 1.69.0 and earlier, where the /api/v1/usage-report/summary REST API endpoint lacks proper authorization controls. This missing authorization (CWE-862) allows any unauthenticated user to query this endpoint and retrieve aggregate API usage counts. Although the data exposed does not include sensitive or personal information, it reveals operational metadata such as service activity levels and uptime patterns. Such information could be leveraged by attackers during reconnaissance to infer system usage trends or identify optimal times for attacks. The vulnerability does not affect data integrity or availability and does not require any user interaction, making it remotely exploitable with low complexity. The issue was publicly disclosed and assigned CVE-2025-64179 with a CVSS v3.1 base score of 5.3 (medium severity), reflecting limited confidentiality impact but no integrity or availability impact. The vendor fixed the vulnerability in lakeFS version 1.71.0. Until upgrading, organizations can mitigate exposure by configuring network controls such as load balancers or application-level firewalls to block access to the vulnerable endpoint path. No known exploits are reported in the wild as of the publication date.

For European organizations, the primary impact of this vulnerability is the unintended disclosure of aggregate API usage metrics, which may reveal operational patterns of their lakeFS deployments. While no sensitive data or user-specific information is exposed, attackers could use this metadata to better understand system behavior, potentially aiding in timing or targeting of subsequent attacks. Organizations relying on lakeFS for managing object storage repositories in data engineering, analytics, or cloud-native environments may face increased reconnaissance risk. Although the direct impact on confidentiality is limited, the information leakage could indirectly facilitate more sophisticated attacks. There is no impact on data integrity or service availability, so business operations should remain unaffected. However, organizations with strict compliance or security policies around information disclosure should consider this vulnerability significant enough to warrant prompt remediation. The risk is higher for entities with public-facing lakeFS instances or those lacking network-level access controls.

1. Upgrade lakeFS to version 1.71.0 or later, where the authorization check on the /api/v1/usage-report/summary endpoint is properly enforced. 2. If immediate upgrade is not feasible, implement network-level controls such as load balancers or application firewalls to block or restrict access to the /api/v1/usage-report/summary endpoint, ensuring only authorized internal systems can reach it. 3. Review and tighten API gateway and reverse proxy configurations to enforce authentication and authorization policies on all API endpoints. 4. Monitor access logs for unusual or unauthorized requests targeting the usage-report endpoint to detect potential reconnaissance attempts. 5. Incorporate this vulnerability into vulnerability management and patching workflows to ensure timely updates. 6. Educate DevOps and security teams about the importance of securing telemetry and usage reporting endpoints, which may inadvertently leak operational data.