What is CVE-2025-27100?

CVE-2025-27100 is a medium-severity vulnerability in lakeFS that allows authenticated users to crash the service by exhausting server memory. Immediate upgrade to version 1.50.0 is recommended to mitigate this risk.

What is the severity of CVE-2025-27100?

CVE-2025-27100 has a severity rating of MEDIUM with a CVSS base score of 6.5.

CVE-2025-27100 | Medium Vulnerability in lakeFS

CVE-2025-27100 is a medium-severity vulnerability affecting lakeFS, an open-source tool that transforms object storage into a Git-like repository. This vulnerability allows an authenticated user to crash lakeFS by exhausting server memory, leading to a denial-of-service condition. The impact on availability is classified as high, as it can render the service unusable for legitimate users.

The CVSS score for this vulnerability is 6.5, indicating a medium level of severity. The vulnerability has been addressed in version 1.50.0 of lakeFS, and users running versions 1.49.1 and below are encouraged to upgrade immediately. For users unable to upgrade, setting the environment variable `LAKEFS_BLOCKSTORE_S3_DISABLE_PRE_SIGNED_MULTIPART` to `true` or configuring the `disable_pre_signed_multipart` key to true in their config YAML is advised.

Risk to organizations includes potential downtime and service disruption, which can affect operational capabilities and user trust. Organizations should prioritize patching immediately to mitigate the risk associated with this vulnerability.

As of now, there is no known public exploit available, and the vulnerability is not listed in the KEV catalog. Organizations are advised to remain vigilant and monitor for any updates from the vendor regarding this issue.

Vulnerability Details

The vulnerability allows an authenticated user to exhaust server memory, leading to a denial-of-service condition. The CVSS score of 6.5 indicates that the vulnerability poses a medium risk to the availability of the service.

The affected versions are 1.49.1 and below. Organizations should upgrade to version 1.50.0 as soon as possible to mitigate the vulnerability.

Technical Analysis

The root cause of this vulnerability is due to improper handling of memory allocation, which allows an authenticated user to send requests that consume excessive memory. The attack vector is network-based, with low complexity and low privileges required to exploit this vulnerability.

No user interaction is required, and the vulnerability does not impact confidentiality or integrity, but it significantly affects availability.

Risk & Impact Analysis

Real-world deployment of lakeFS with this vulnerability presents a significant risk to organizations that rely on it for object storage management. The potential for service disruption can lead to loss of productivity, revenue, and customer trust.

Organizations should assess their usage of lakeFS and prioritize patching to version 1.50.0 to mitigate the risk associated with this vulnerability.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The affected versions include lakeFS 1.49.1 and earlier. Users are strongly encouraged to upgrade to version 1.50.0 to mitigate this vulnerability.

Mitigation & Remediation

To mitigate this vulnerability, users should upgrade lakeFS to version 1.50.0. For those unable to upgrade, it is recommended to set the environment variable `LAKEFS_BLOCKSTORE_S3_DISABLE_PRE_SIGNED_MULTIPART` to `true` or configure the `disable_pre_signed_multipart` key to true in the configuration YAML.

Organizations should regularly monitor for updates and apply patches as they become available to maintain the security and availability of their systems.

Detection Guidance

Organizations should monitor their systems for unusual memory usage patterns that could indicate attempts to exploit this vulnerability. Logging and alerting mechanisms should be in place to detect potential denial-of-service attacks.

AppSecure Threat Intelligence Insight

The vulnerability CVE-2025-27100 presents a significant risk to organizations using lakeFS, particularly those relying on its availability for critical operations. With an EPS score of only 0.00065, the likelihood of exploitation remains low; however, organizations must not become complacent.

Security teams should consider implementing a proactive security posture that includes regular vulnerability assessments and penetration testing to identify and remediate similar issues in their environments.

For additional insights on maintaining security, organizations can refer to our resources on vulnerability management programs and penetration testing methodologies to enhance their security posture.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2025-27100: Medium Vulnerability in lakeFS