CVE-2025-58158 Flaw in Harness Gitness Allows Arbitrary File Write

The open-source DevOps ecosystem has been hit with another critical security issue—this time in Harness Open Source, a platform that combines code hosting, automated pipelines, Gitspaces, and artifact registries. A newly disclosed vulnerability, tracked as CVE-2025-58158, exposes the Harness Gitness Git LFS server to arbitrary file write attacks. With a CVSS score of 8.8, this flaw poses a significant risk to development teams relying on Git Large File Storage (LFS).

The flaw lies in the file upload API for Git LFS within Harness Gitness. According to the advisory, “Open Source Harness git LFS server (Gitness) exposes API to retrieve and upload files via git LFS. Implementation of upload git LFS file API is vulnerable to arbitrary file write.”

The core issue is improper sanitization of upload paths. This allows an attacker with authenticated access to craft malicious upload requests and write files anywhere on the server’s filesystem.

Because the flaw allows writing files to arbitrary paths, the implications are severe:

• Server Compromise – Attackers may overwrite critical binaries or configuration files to gain control of the system.
• Privilege Escalation – By planting files in sensitive directories, attackers could execute malicious payloads with elevated privileges.
• Supply Chain Risk – As Harness Gitness integrates with CI/CD pipelines, compromised servers could poison build artifacts or inject backdoors into code repositories.

The advisory warns, “A malicious authenticated user who has access to Harness Gitness server API can use a crafted upload request to write arbitrary file to any location on file system, may even compromise the server.”

The affected versions

• All versions prior to v3.3.0
• Users of Git LFS within Harness Gitness are vulnerable

Harness has released a patched version (v3.3.0) to fix the vulnerability.

Related Posts:

• CVE-2023-43641: Unmasking the RCE Risk in GNOME’s Libcue
• Google Announces Git protocol version 2, Bringing Significant Performance Improvements

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.