CVE-2025-68671: CWE-294: Authentication Bypass by Capture-replay in treeverse lakeFS
lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS's S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. Prior to 1.75.0, an attacker who captures a valid signed request (e.g., through network interception, logs, or compromised systems) can replay that request until credentials are rotated, even after the request is intended to expire. This vulnerability is fixed in 1.75.0.
CVE-2025-68671: CWE-294: Authentication Bypass by Capture-replay in treeverse lakeFS
Description
lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS's S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. Prior to 1.75.0, an attacker who captures a valid signed request (e.g., through network interception, logs, or compromised systems) can replay that request until credentials are rotated, even after the request is intended to expire. This vulnerability is fixed in 1.75.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-12-22T23:37:00.931Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6969710d7c726673b6836a48
Added to database: 1/15/2026, 10:58:21 PM
Last updated: 1/15/2026, 10:58:58 PM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-1009: CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) in Altium Altium Forum (Altium 365)
CriticalCVE-2026-1008: CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) in Altium Altium 365
MediumCVE-2026-0915: CWE-908 Use of Uninitialized Resource in The GNU C Library glibc
MediumCVE-2025-67822: n/a
UnknownCVE-2025-59959: CWE-822 Untrusted Pointer Dereference in Juniper Networks Junos OS
MediumActions
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.