CVE-2022-24826

Name of the Vulnerable Software and Affected Versions Git LFS versions 2.12.1 through 3.1.2

Description On Windows, if Git LFS operates on a malicious repository with a ..exe file as well as a file named git.exe, and git.exe is not found in PATH, the ..exe program will be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. The vulnerability occurs because when Git LFS detects that the program it intends to run does not exist in any directory listed in PATH, then Git LFS passes an empty string as the executable file path to the Go os/exec package, which contains a bug such that, on Windows, it prepends the name of the current working directory (i.e., .) to the empty string without adding a path separator, and as a result searches in that directory for a file with the base name . combined with any file extension from PATHEXT, executing the first one it finds.

Recommendations For Git LFS versions 2.12.1 through 3.1.2, upgrade to version 3.1.3 to resolve the issue. As a temporary workaround, consider ensuring that all intended programs are found in the PATH to prevent the execution of malicious files. Restrict access to the vulnerable os/exec package in the Go project until a patch is available.