GHSA-j7jw-28jm-whr6
First published: Fri Feb 21 2025(Updated: )
### Impact An authenticated user can crash lakeFS by exhausting server memory. This is an authenticated denial-of-service issue. ### Patches This problem has been patched and exists in versions 1.49.1 and below ### Workarounds On S3 backends, configure ```yaml # ... blockstore: s3: disable_pre_signed_multipart: true ``` or set environment variable `LAKEFS_BLOCKSTORE_S3_DISABLE_PRE_SIGNED_MULTIPART` to `true`. ### References _Are there any links users can visit to find out more?_
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/github.com/treeverse/lakefs | <1.50.0 | 1.50.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of GHSA-j7jw-28jm-whr6?
The severity of GHSA-j7jw-28jm-whr6 is classified as an authenticated denial-of-service vulnerability.
How do I fix GHSA-j7jw-28jm-whr6?
To fix GHSA-j7jw-28jm-whr6, upgrade to lakeFS version 1.50.0 or later.
What causes the GHSA-j7jw-28jm-whr6 vulnerability?
GHSA-j7jw-28jm-whr6 vulnerability is caused by an authenticated user exhausting server memory.
Can I mitigate GHSA-j7jw-28jm-whr6 without upgrading?
Yes, you can mitigate GHSA-j7jw-28jm-whr6 on S3 backends by configuring the blockstore appropriately.
Is GHSA-j7jw-28jm-whr6 still present in newer versions?
No, GHSA-j7jw-28jm-whr6 has been patched and is not present in lakeFS version 1.50.0 and above.
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-j7jw-28jm-whr6
- alias/CVE-2025-27100
- agent/last-modified-date
- agent/references
- agent/severity
- agent/weakness
- agent/source
- agent/type
- agent/description
- agent/first-publish-date
- agent/tags
- agent/softwarecombine
- agent/event
- package-manager/go