CVE-2025-58158
Published: 29 August 2025
Summary
CVE-2025-58158 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the improper sanitization of the git LFS upload path by requiring validation of information inputs to block path traversal attacks.
Ensures timely identification, reporting, and patching of the specific flaw in Harness Gitness prior to version 3.3.0, eliminating the vulnerability.
Limits the impact of successful arbitrary file writes by enforcing least privilege on the Gitness process's filesystem access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public LFS API enables arbitrary file write leading to web shell deployment and server compromise.
NVD Description
Harness Open Source is an end-to-end developer platform with Source Control Management, CI/CD Pipelines, Hosted Developer Environments, and Artifact Registries. Prior to version 3.3.0, Open Source Harness git LFS server (Gitness) exposes api to retrieve and upload files via git…
more
LFS. Implementation of upload git LFS file api is vulnerable to arbitrary file write. Due to improper sanitization for upload path, a malicious authenticated user who has access to Harness Gitness server api can use a crafted upload request to write arbitrary file to any location on file system, may even compromise the server. Users using git LFS are vulnerable. This issue has been patched in version 3.3.0.
Deeper analysisAI
CVE-2025-58158 is a path traversal vulnerability (CWE-22, CWE-73) in the Git Large File Storage (LFS) upload API of Harness Open Source, specifically its Gitness component, which serves as the git LFS server. Harness Open Source is an end-to-end developer platform offering source control management, CI/CD pipelines, hosted developer environments, and artifact registries. The flaw stems from improper sanitization of the upload path, enabling arbitrary file writes on affected systems prior to version 3.3.0. Systems using git LFS functionality are vulnerable, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated attacker with access to the Harness Gitness server API can exploit this vulnerability by crafting a malicious git LFS file upload request. This allows the attacker to write arbitrary files to any location on the server's file system, potentially leading to full server compromise through techniques such as overwriting critical configuration files, executables, or injecting malicious code.
The vulnerability has been addressed in Harness Open Source version 3.3.0. Security practitioners should upgrade to this version or later. Additional details are available in the Harness security advisory at https://github.com/harness/harness/security/advisories/GHSA-w469-hj2f-jpr5 and the patching commit at https://github.com/harness/harness/commit/21c5ce42ae13740b1cad47706c2ec85e72cc8c20.
Details
- CWE(s)