CVE-2025-58158

CVSS v3.1

8.8

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Harness Open Source versions prior to 3.3.0

Description Harness Open Source’s git Large File Storage (LFS) server (Gitness) exposes APIs for retrieving and uploading files via git LFS. The implementation of the upload git LFS file API is susceptible to arbitrary file write due to improper sanitization of the upload path. An authenticated user with access to the Harness Gitness server API can craft a malicious upload request to write arbitrary files to any location on the file system, potentially compromising the server. Users utilizing git LFS are affected.

Recommendations Upgrade to version 3.3.0 to resolve this issue.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-73

Related Identifiers

CVE-2025-58158

GHSA-W469-HJ2F-JPR5

GO-2025-3926

SUSE-SU-2025:03289-1

Affected Products

Gitness

Harness Open Source

CVE-2025-58158

Weakness Enumeration

Related Identifiers

Affected Products

References · 51