x/vulndb: potential Go vuln in github.com/treeverse/lakefs: GHSA-f2ph-gc9m-q55f

[GoVulnBot]

Advisory GHSA-f2ph-gc9m-q55f references a vulnerability in the following Go modules:

Module
github.com/treeverse/lakefs

Description:

Impact

LakeFS's S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. An attacker who captures a valid signed request (e.g., through network interception, logs, or compromised systems) can replay that request until credentials are rotated, even after the request is intended to expire.

Patches

This issue affects all versions of lakeFS up to and including v1.74.4.

The vulnerability has been fixed in version v1.75.0.

Users should upgrade to version v1.75.0.

Workarounds

Until upgraded, implement these mitigations:

• **Use short-lived credenti...

References:

• ADVISORY: GHSA-f2ph-gc9m-q55f
• ADVISORY: GHSA-f2ph-gc9m-q55f
• FIX: treeverse/lakeFS@92966ae
• FIX: Add expiry validation for S3 gateway requests treeverse/lakeFS#9710
• REPORT: [Bug]: S3 Presigned GET ignores expiration, can be accessed beyond expiration date treeverse/lakeFS#9599

Cross references:

• github.com/treeverse/lakefs appears in 9 other report(s):
  • data/reports/GO-2022-0375.yaml (x/vulndb: potential Go vuln in github.com/treeverse/lakefs: GHSA-m836-gxwq-j2pm #375)
  • data/reports/GO-2022-1019.yaml (x/vulndb: potential Go vuln in github.com/treeverse/lakefs: GHSA-28q9-9c3g-v3f9 #1019)
  • data/reports/GO-2023-2012.yaml (x/vulndb: potential Go vuln in github.com/treeverse/lakefs: GHSA-9phh-r37v-34wh #2012)
  • data/reports/GO-2023-2397.yaml (x/vulndb: potential Go vuln in github.com/treeverse/lakefs: GHSA-26hr-q2wp-rvc5 #2397)
  • data/reports/GO-2023-2398.yaml (x/vulndb: potential Go vuln in github.com/treeverse/lakefs: GHSA-4rgc-5g6r-2rjf #2398)
  • data/reports/GO-2024-2581.yaml (x/vulndb: potential Go vuln in github.com/treeverse/lakefs: GHSA-fvv5-h29g-f6w5 #2581)
  • data/reports/GO-2024-3291.yaml (x/vulndb: potential Go vuln in github.com/treeverse/lakefs: GHSA-hh33-46q4-hwm2 #3291)
  • data/reports/GO-2025-3479.yaml (x/vulndb: potential Go vuln in github.com/treeverse/lakefs: GHSA-j7jw-28jm-whr6 #3479)
  • data/reports/GO-2025-4090.yaml (x/vulndb: potential Go vuln in github.com/treeverse/lakefs: GHSA-h238-5mwf-8xw8 #4090)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/treeverse/lakefs
      versions:
        - fixed: 1.75.0
      vulnerable_at: 1.74.4
summary: lakeFS is Missing Timestamp Validation in S3 Gateway Authentication in github.com/treeverse/lakefs
cves:
    - CVE-2025-68671
ghsas:
    - GHSA-f2ph-gc9m-q55f
references:
    - advisory: https://github.com/advisories/GHSA-f2ph-gc9m-q55f
    - advisory: https://github.com/treeverse/lakeFS/security/advisories/GHSA-f2ph-gc9m-q55f
    - fix: https://github.com/treeverse/lakeFS/commit/92966ae611d7f1a2bbe7fd56f9568c975aab2bd8
    - fix: https://github.com/treeverse/lakeFS/pull/9710
    - report: https://github.com/treeverse/lakeFS/issues/9599
source:
    id: GHSA-f2ph-gc9m-q55f
    created: 2026-01-15T22:01:21.281240267Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/736920 mentions this issue: data/reports: add 15 reports