Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-58158

Good to know:

icon
icon

Date: August 29, 2025

Harness Open Source is an end-to-end developer platform with Source Control Management, CI/CD Pipelines, Hosted Developer Environments, and Artifact Registries. Prior to version 3.3.0, Open Source Harness git LFS server (Gitness) exposes api to retrieve and upload files via git LFS. Implementation of upload git LFS file api is vulnerable to arbitrary file write. Due to improper sanitization for upload path, a malicious authenticated user who has access to Harness Gitness server api can use a crafted upload request to write arbitrary file to any location on file system, may even compromise the server. Users using git LFS are vulnerable. This issue has been patched in version 3.3.0.

Severity Score

Related Resources (5)

https://github.com/harness/harness
https://github.com/harness/harness/commit/21c5ce42ae13740b1cad47706c2ec85e72cc8c20
https://nvd.nist.gov/vuln/detail/CVE-2025-58158
https://github.com/harness/harness/security/advisories/GHSA-w469-hj2f-jpr5
https://www.mend.io/vulnerability-database/CVE-2025-58158

Severity Score

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

External Control of File Name or Path

CWE-73

Top Fix

icon

Upgrade Version

Upgrade to version github.com/harness/gitness - v3.3.0;github.com/harness/gitness - v1.0.4-gitspaces-beta.0.20250808064055-21c5ce42ae13

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us