Cyber Resilience

CVE-2025-58158

High

Published: 29 August 2025

Published
29 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0016 36.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-58158 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-58158 is a path traversal vulnerability (CWE-22, CWE-73) in the Git Large File Storage (LFS) upload API of Harness Open Source, specifically its Gitness component, which serves as the git LFS server. Harness Open Source is an end-to-end developer platform offering source control management, CI/CD pipelines, hosted developer environments, and artifact registries. The flaw stems from improper sanitization of the upload path, enabling arbitrary file writes on affected systems prior to version 3.3.0. Systems using git LFS functionality are vulnerable, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated attacker with access to the Harness Gitness server API can exploit this vulnerability by crafting a malicious git LFS file upload request. This allows the attacker to write arbitrary files to any location on the server's file system, potentially leading to full server compromise through techniques such as overwriting critical configuration files, executables, or injecting malicious code.

The vulnerability has been addressed in Harness Open Source version 3.3.0. Security practitioners should upgrade to this version or later. Additional details are available in the Harness security advisory at https://github.com/harness/harness/security/advisories/GHSA-w469-hj2f-jpr5 and the patching commit at https://github.com/harness/harness/commit/21c5ce42ae13740b1cad47706c2ec85e72cc8c20.

EU & UK References

Vulnerability details

Harness Open Source is an end-to-end developer platform with Source Control Management, CI/CD Pipelines, Hosted Developer Environments, and Artifact Registries. Prior to version 3.3.0, Open Source Harness git LFS server (Gitness) exposes api to retrieve and upload files via git…

more

LFS. Implementation of upload git LFS file api is vulnerable to arbitrary file write. Due to improper sanitization for upload path, a malicious authenticated user who has access to Harness Gitness server api can use a crafted upload request to write arbitrary file to any location on file system, may even compromise the server. Users using git LFS are vulnerable. This issue has been patched in version 3.3.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Path traversal in public LFS API enables arbitrary file write leading to web shell deployment and server compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-30940Shared CWE-22, CWE-73
CVE-2026-9559Shared CWE-22, CWE-73
CVE-2025-1661Shared CWE-22
CVE-2026-33529Shared CWE-22
CVE-2026-9550Shared CWE-22
CVE-2024-44373Shared CWE-22
CVE-2019-25471Shared CWE-22
CVE-2024-11642Shared CWE-22
CVE-2025-67684Shared CWE-22
CVE-2025-41758Shared CWE-22

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the improper sanitization of the git LFS upload path by requiring validation of information inputs to block path traversal attacks.

prevent

Ensures timely identification, reporting, and patching of the specific flaw in Harness Gitness prior to version 3.3.0, eliminating the vulnerability.

prevent

Limits the impact of successful arbitrary file writes by enforcing least privilege on the Gitness process's filesystem access.

References