CVE-2025-58158 — Vulnetix

Try Vulnetix Request Demo

CVE-2025-58158 PUBLISHED CVSS 8.800000190734863 HIGH

Harness Open Source is an end-to-end developer platform with Source Control Management, CI/CD Pipelines, Hosted Developer Environments, and Artifact Registries. Prior to version 3.3.0, Open Source Harness git LFS server (Gitness) exposes api to retrieve and upload files via git LFS. Implementation of upload git LFS file api is vulnerable to arbitrary file write. Due to improper sanitization for upload path, a malicious authenticated user who has access to Harness Gitness server api can use a crafted upload request to write arbitrary file to any location on file system, may even compromise the server. Users using git LFS are vulnerable. This issue has been patched in version 3.3.0.

EPSS 0.11% · 29.3th percentile

Risk Scores

CVSS v3.1

8.800000190734863

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.11%

29.3th percentile

Affected Products

Vendor	Product	Versions
harness	harness	< 3.3.0
github.com	harness/gitness	1.0.4, 0

Timeline

Jan 21, 1970 Security Advisory
Aug 29, 2025 CVE Published
Aug 30, 2025 EPSS Score
Sep 1, 2025 Coalition ESS Score
Sep 2, 2025 Coalition ESS Score
Sep 2, 2025 PoC Published
Sep 6, 2025 EPSS Score
Sep 13, 2025 EPSS Score
Sep 20, 2025 EPSS Score
Sep 28, 2025 EPSS Score
Oct 4, 2025 Coalition ESS Score
Oct 5, 2025 EPSS Score

References

Open in Interactive Console →