x/vulndb: potential Go vuln in github.com/treeverse/lakefs: GHSA-j7jw-28jm-whr6

[GoVulnBot]

Advisory GHSA-j7jw-28jm-whr6 references a vulnerability in the following Go modules:

Module
github.com/treeverse/lakefs

Description:

Impact

An authenticated user can crash lakeFS by exhausting server memory. This is an authenticated denial-of-service issue.

Patches

This problem has been patched and exists in versions 1.49.1 and below

Workarounds

On S3 backends, configure

# ...
blockstore:
  s3:
    disable_pre_signed_multipart: true

or set environment variable LAKEFS_BLOCKSTORE_S3_DISABLE_PRE_SIGNED_MULTIPART to true.

References

Are there any links users can visit to find out more?

References:

• ADVISORY: GHSA-j7jw-28jm-whr6
• ADVISORY: GHSA-j7jw-28jm-whr6
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-27100
• FIX: treeverse/lakeFS@3a62575

Cross references:

• github.com/treeverse/lakefs appears in 7 other report(s):
  • data/reports/GO-2022-0375.yaml (x/vulndb: potential Go vuln in github.com/treeverse/lakefs: GHSA-m836-gxwq-j2pm #375)
  • data/reports/GO-2022-1019.yaml (x/vulndb: potential Go vuln in github.com/treeverse/lakefs: GHSA-28q9-9c3g-v3f9 #1019)
  • data/reports/GO-2023-2012.yaml (x/vulndb: potential Go vuln in github.com/treeverse/lakefs: GHSA-9phh-r37v-34wh #2012)
  • data/reports/GO-2023-2397.yaml (x/vulndb: potential Go vuln in github.com/treeverse/lakefs: GHSA-26hr-q2wp-rvc5 #2397)
  • data/reports/GO-2023-2398.yaml (x/vulndb: potential Go vuln in github.com/treeverse/lakefs: GHSA-4rgc-5g6r-2rjf #2398)
  • data/reports/GO-2024-2581.yaml (x/vulndb: potential Go vuln in github.com/treeverse/lakefs: GHSA-fvv5-h29g-f6w5 #2581)
  • data/reports/GO-2024-3291.yaml (x/vulndb: potential Go vuln in github.com/treeverse/lakefs: GHSA-hh33-46q4-hwm2 #3291)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/treeverse/lakefs
      versions:
        - fixed: 1.50.0
      vulnerable_at: 1.49.1
summary: lakeFS allows an authenticated user to cause a crash by exhausting server memory in github.com/treeverse/lakefs
cves:
    - CVE-2025-27100
ghsas:
    - GHSA-j7jw-28jm-whr6
references:
    - advisory: https://github.com/advisories/GHSA-j7jw-28jm-whr6
    - advisory: https://github.com/treeverse/lakeFS/security/advisories/GHSA-j7jw-28jm-whr6
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-27100
    - fix: https://github.com/treeverse/lakeFS/commit/3a625752acdf3f8e137bec20451e71d0f9fa82f2
source:
    id: GHSA-j7jw-28jm-whr6
    created: 2025-02-21T22:01:26.022574398Z
review_status: UNREVIEWED