VYPR

Go modules package

github.com/treeverse/lakefs

pkg:golang/github.com/treeverse/lakefs

Vulnerabilities (5)

  • CVE-2026-26187Feb 13, 2026
    affected < 1.77.0fixed 1.77.0

    lakeFS is an open-source tool that transforms object storage into a Git-like repositories. Prior to 1.77.0, the local block adapter (pkg/block/local/adapter.go) allows authenticated users to read and write files outside their designated storage boundaries. The verifyRelPath funct

  • CVE-2025-68671Jan 15, 2026
    affected < 1.75.0fixed 1.75.0

    lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS's S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. Prior to 1.75.0, an attacker who captures a valid signed request (e.g., through network

  • CVE-2025-64179MedNov 6, 2025
    affected < 1.71.0fixed 1.71.0

    lakeFS is an open-source tool that transforms object storage into a Git-like repositories. In versions 1.69.0 and below, missing authentication in the /api/v1/usage-report/summary endpoint allows anyone to retrieve aggregate API usage counts. While no sensitive data is disclosed,

  • CVE-2025-27100MedFeb 21, 2025
    affected < 1.50.0fixed 1.50.0

    lakeFS is an open-source tool that transforms your object storage into a Git-like repository. In affected versions an authenticated user can crash lakeFS by exhausting server memory. This is an authenticated denial-of-service issue. This problem has been patched in version 1.50.

  • CVE-2024-43784MedNov 26, 2024
    affected < 1.33.0fixed 1.33.0

    lakeFS is an open-source tool that transforms object storage into a Git-like repository. Existing lakeFS users who have issued credentials to users who have been deleted are affected by this vulnerability. When creating a new user with the same username as a deleted user, that us