Authenticated Denial-of-Service Vulnerability in lakeFS by Treeverse

CVE-2025-27100

Summary

An authenticated denial-of-service vulnerability exists in lakeFS, an open-source tool developed by Treeverse that turns object storage into a Git-like repository. In versions 1.49.1 and below, an authenticated user can exploit this vulnerability to deplete server memory, leading to a crash of the lakeFS service. It is strongly recommended that users upgrade to version 1.50.0 to mitigate this risk. For those unable to update immediately, users can set the environment variable LAKEFS_BLOCKSTORE_S3_DISABLE_PRE_SIGNED_MULTIPART to true or adjust the disable_pre_signed_multipart key in their config YAML to prevent the exploitation of this vulnerability.

References