The vulnerability CVE-2025-68671 affects treeverse's lakeFS, an open-source tool that provides Git-like version control for object storage systems. Specifically, the lakeFS S3 gateway fails to validate the timestamps embedded in authenticated requests. Signed requests typically include timestamps to prevent replay attacks by ensuring requests are only valid for a limited time. However, in affected versions prior to 1.75.0, this timestamp validation is absent or insufficient, allowing an attacker who captures a legitimate signed request—via network interception, compromised logs, or other means—to replay the request repeatedly. This replay bypasses authentication controls because the system accepts the reused request as valid, even after the original expiration time. The attacker does not need any privileges or user interaction to exploit this vulnerability, and the scope includes any lakeFS deployment using the vulnerable S3 gateway. The impact includes unauthorized access or modification of object storage data, undermining confidentiality and integrity. The vulnerability is classified under CWE-294 (Authentication Bypass by Capture-replay). The issue is resolved in lakeFS version 1.75.0, which implements proper timestamp validation to prevent replay attacks. No known exploits are currently reported in the wild, but the medium CVSS score (6.5) reflects the moderate risk due to ease of exploitation and potential data exposure.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on lakeFS to manage critical object storage repositories. Replay attacks can lead to unauthorized data access or modification, compromising data confidentiality and integrity. This risk is heightened in sectors handling sensitive or regulated data, such as finance, healthcare, and government. Unauthorized replayed requests could allow attackers to retrieve or alter stored objects, potentially leading to data breaches or disruption of data workflows. Since the vulnerability does not affect availability directly, denial-of-service impacts are minimal. However, the trustworthiness of version-controlled object storage is critical for compliance and operational integrity, so exploitation could have regulatory and reputational consequences. Organizations with automated pipelines or CI/CD processes integrating lakeFS could see cascading effects if malicious replayed requests alter stored artifacts or configurations.

The primary mitigation is to upgrade all lakeFS deployments to version 1.75.0 or later, where the timestamp validation flaw is fixed. Organizations should implement strict credential rotation policies to limit the window of exposure for captured signed requests. Network security controls such as encryption (TLS) and network segmentation can reduce the risk of request capture. Monitoring and logging of repeated identical requests may help detect replay attempts. Additionally, organizations should review their object storage access patterns and consider implementing additional layers of authentication or request validation where feasible. Employing anomaly detection tools that flag unusual request patterns to the S3 gateway can provide early warning. Finally, educating developers and administrators about the risks of replay attacks and secure handling of signed requests is recommended.