CVE-2025-58158
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-29

Last updated on: 2025-09-02

Assigner: GitHub, Inc.

Description
Harness Open Source is an end-to-end developer platform with Source Control Management, CI/CD Pipelines, Hosted Developer Environments, and Artifact Registries. Prior to version 3.3.0, Open Source Harness git LFS server (Gitness) exposes api to retrieve and upload files via git LFS. Implementation of upload git LFS file api is vulnerable to arbitrary file write. Due to improper sanitization for upload path, a malicious authenticated user who has access to Harness Gitness server api can use a crafted upload request to write arbitrary file to any location on file system, may even compromise the server. Users using git LFS are vulnerable. This issue has been patched in version 3.3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-29
Last Modified
2025-09-02
Generated
2026-06-16
AI Q&A
2025-08-29
EPSS Evaluated
2026-06-14
NVD
CVE-2025-58158
EUVD
EUVD-2025-26231
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
harness gitness *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-58158 is a high-severity vulnerability in the Harness Gitness Git LFS server prior to version 3.3.0. It arises from improper input validation in the Git LFS file upload API, specifically due to insufficient sanitization of the upload path. This flaw allows an authenticated malicious user with access to the Gitness server API to craft upload requests that write arbitrary files to any location on the server's filesystem, potentially leading to full server compromise. [1]

Impact Analysis

This vulnerability can impact you by allowing a malicious authenticated user to write arbitrary files anywhere on the server's filesystem. This can lead to a full compromise of the server, affecting confidentiality, integrity, and availability of the system at a high level. [1]

Detection Guidance

Detection involves monitoring for suspicious or unauthorized Git LFS upload API requests to the Harness Gitness server, especially those from authenticated users attempting to upload files with crafted paths. Network traffic analysis tools or API access logs can be used to identify such attempts. Specific commands are not provided in the resources, but inspecting server logs for unusual upload paths or using network packet capture tools (e.g., tcpdump or Wireshark) to filter traffic to the Gitness server API endpoints may help detect exploitation attempts. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the Harness Gitness Git LFS server to version 3.3.0 or later, where the vulnerability has been patched. The fix includes strict validation of uploaded files by verifying the existence of LFS objects, checking content hashes against declared OIDs, and rejecting invalid uploads, preventing arbitrary file writes. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58158. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart