CVE-2025-27100

CVSS 3.1 Score 6.5 of 10 (medium)

Details

Published Feb 21, 2025

CWE ID 400

Summary

CVE-2025-27100 affects lakeFS, an open-source tool that converts object storage into a Git-like repository. In vulnerable versions, an authenticated user can cause the server to run out of memory, resulting in a denial-of-service attack. This issue has been resolved in version 1.50.0. Users on versions 1.49.1 and below are at risk. To mitigate the vulnerability for those who cannot upgrade, set the environment variable `LAKEFS_BLOCKSTORE_S3_DISABLE_PRE_SIGNED_MULTIPART` to `true` or configure the `disable_pre_signed_multipart` key to true in the config yaml file.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Lakefs

Affected Vendors

Treeverse

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/3fmPKW
https://www.cve.org/CVERecord?id=CVE-2025-27100
https://nvd.nist.gov/vuln/detail/CVE-2025-27100

Back to Vulnerability Database