CVE-2025-58158

HIGH

Harness Open Source <3.3.0 - Command Injection

Title source: llm

Description

Harness Open Source is an end-to-end developer platform with Source Control Management, CI/CD Pipelines, Hosted Developer Environments, and Artifact Registries. Prior to version 3.3.0, Open Source Harness git LFS server (Gitness) exposes api to retrieve and upload files via git LFS. Implementation of upload git LFS file api is vulnerable to arbitrary file write. Due to improper sanitization for upload path, a malicious authenticated user who has access to Harness Gitness server api can use a crafted upload request to write arbitrary file to any location on file system, may even compromise the server. Users using git LFS are vulnerable. This issue has been patched in version 3.3.0.

References (2)

[Vendor Advisory] https://github.com/harness/harness/security/advisories/GHSA-w469-hj2f-jpr5

[Patch] https://github.com/harness/harness/commit/21c5ce42ae13740b1cad47706c2ec85e72cc8c20

View Patch ZIP pw:eip

Scores

CVSS v3 8.8

EPSS 0.0010

EPSS Percentile 28.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-22 CWE-73

Status published

Products (2)

harness/gitness 1.0.4 - 3.3.0Go

harness/harness < 3.3.0

Published Aug 29, 2025

Tracked Since Feb 18, 2026