Harness Gitness LFS Server Arbitrary File Write Vulnerability CVE-2025-XXXXX (Critical)

By /

Listen to this Post

The CVE-2025-XXXXX vulnerability in the Harness Gitness LFS server stems from improper sanitization of user-supplied input within the file upload API endpoint. An authenticated attacker can craft a malicious Git LFS request containing path traversal sequences (e.g., ../../) within the `oid` or other file path parameters. The server fails to validate or normalize this input, allowing the request to break out of the intended data directory. Consequently, the server processes the request and writes the uploaded file contents to an arbitrary, attacker-specified location on the host’s filesystem. This primitive can be leveraged to overwrite critical system files, deploy a web shell for remote code execution, or manipulate application logic, leading to a full compromise of the underlying server.
Platform: Harness Gitness
Version: < 3.3.0
Vulnerability: Arbitrary File Write
Severity: Critical

date: 2025-08-29

Prediction: Patch Available

What Undercode Say:

Crafting a malicious LFS request
curl -X POST -H "Authorization: Bearer <TOKEN>" \
-H "Accept: application/vnd.git-lfs+json" \
-H "Content-Type: application/vnd.git-lfs+json" \
-d '{"oid":"../../../tmp/payload", "size":123, "actions":{"upload":{"href":"http://target/api/upload"}}}' \
http://target-gitness-server.com/api/endpoint
Example of a vulnerable path concatenation in code
filePath := filepath.Join(baseDataDir, userProvidedOid) Vulnerable
Proper sanitization is missing

How Exploit:

Craft malicious Git LFS upload requests with path traversal sequences in the `oid` parameter to write files outside the intended storage directory, potentially leading to remote code execution.

Protection from this CVE:

Upgrade to Gitness version 3.3.0 immediately. Implement strict input validation and path sanitization for all file operations. Apply the principle of least privilege to server processes.

Impact:

Full server compromise, arbitrary remote code execution, and unauthorized data access or destruction via file system manipulation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top