CVE-2025-68671

Groundhog Day in the Data Lake: Infinite Replay in lakeFS (CVE-2025-68671)

Alon Barad
Alon Barad
Software Engineer

Jan 15, 2026·6 min read·8 visits

Executive Summary (TL;DR)

The lakeFS S3 gateway correctly verified cryptographic signatures but ignored the timestamp. This means any valid request (including presigned URLs meant to expire in minutes) captured by an attacker could be replayed forever to read, write, or delete data, effectively breaking the temporal security model of AWS SigV4.

A critical authentication bypass in lakeFS's S3 gateway allowed attackers to replay captured requests indefinitely due to missing timestamp validation in the AWS Signature V4 implementation.

Official Patches

TreeverselakeFS v1.75.0 Release Notes

Fix Analysis (1)

Technical Appendix

CVSS Score
7.4 (Estimated)/ 10
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Probability
0.04%
Top 100% most exploited

Affected Systems

lakeFS S3 Gateway

Affected Versions Detail

Product
Affected Versions
Fixed Version
lakeFS
Treeverse
<= 1.74.41.75.0
AttributeDetail
CWE IDCWE-294
Attack VectorNetwork (Replay)
ImpactAuthentication Bypass / Data Integrity
CVSS (Est)7.4 (High)
StatusPatched
Clock Skew Limit15 Minutes (Post-Fix)

MITRE ATT&CK Mapping

T1557Adversary-in-the-Middle
Credential Access
T1040Network Sniffing
Credential Access
T1550Use Existing Session Material
Defense Evasion
CWE-294
Authentication Bypass by Capture-replay

Authentication Bypass by Capture-replay

Known Exploits & Detection

ManualManual replay of captured CURL requests with old X-Amz-Date headers

Vulnerability Timeline

Issue Reported
2025-10-23
Fix Merged
2025-12-02
Public Disclosure
2026-01-15