Plattform
go
Komponente
github.com/harness/gitness
Behoben in
3.3.1
3.3.0
1.0.4-gitspaces-beta.0.20250808064055-21c5ce42ae13
CVE-2025-58158 describes an Arbitrary File Access vulnerability discovered in Harness Gitness, a Git repository management system. This flaw allows attackers to write arbitrary files on the server, potentially leading to severe consequences such as code execution or data breaches. The vulnerability impacts versions of Gitness prior to 1.0.4-gitspaces-beta.0.20250808064055-21c5ce42ae13, and a patch has been released to address the issue.
The Arbitrary File Access vulnerability in Harness Gitness poses a significant threat. An attacker exploiting this flaw could write malicious files to sensitive locations on the server, such as overwriting configuration files or injecting malicious code into executable files. Successful exploitation could lead to complete system compromise, allowing the attacker to gain unauthorized access to data, execute arbitrary commands, and potentially pivot to other systems within the network. The ability to write arbitrary files bypasses typical access controls, making this a particularly dangerous vulnerability. The impact is amplified if Gitness is deployed in a shared hosting environment or integrated with other critical systems.
CVE-2025-58158 was published on 2025-09-17. As of this date, there are no publicly known proof-of-concept exploits. The EPSS score is currently pending evaluation. It's recommended to monitor security advisories and threat intelligence feeds for any indications of active exploitation. Given the nature of the vulnerability (arbitrary file write), it is likely to become a target for exploitation once a public exploit is developed.
Organizations using Harness Gitness for Git repository management are at risk, particularly those running older, unpatched versions. Shared hosting environments where multiple users have access to the Gitness instance are especially vulnerable, as a compromised user account could be used to exploit this vulnerability.
• go / server: Monitor Gitness logs for unusual file creation events, especially in unexpected directories. Use journalctl -u gittess to filter for file access logs.
• generic web: Check for unexpected files appearing in the Gitness LFS storage directory. Use curl -I <gitness_url>/lfs/ to check for directory listing exposure (disable if present).
• generic web: Review access logs for requests attempting to write files to unusual locations. Use grep -i 'PUT /lfs/' /var/log/apache2/access.log (adjust path as needed).
disclosure
Exploit-Status
EPSS
0.10% (27% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-58158 is to immediately upgrade to version 1.0.4-gitspaces-beta.0.20250808064055-21c5ce42ae13 or later. Before upgrading, it is crucial to review the release notes for any breaking changes and test the upgrade in a non-production environment. If a direct upgrade is not feasible due to compatibility issues, consider implementing stricter file access controls on the Gitness server to limit the potential impact of the vulnerability. While not a complete fix, restricting write access to specific directories can reduce the attack surface. After upgrading, verify the fix by attempting to write a file to a restricted location and confirming that the operation is denied.
Actualice Harness a la versión 3.3.0 o superior. Esta versión contiene una corrección para la vulnerabilidad de escritura arbitraria de archivos en el servidor Gitness LFS. La actualización evitará que usuarios maliciosos escriban archivos en ubicaciones no autorizadas del sistema.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-58158 is a HIGH severity vulnerability in Harness Gitness that allows an attacker to write arbitrary files, potentially leading to code execution and system compromise. It affects versions before 1.0.4-gitspaces-beta.0.20250808064055-21c5ce42ae13.
You are affected if you are using Harness Gitness versions prior to 1.0.4-gitspaces-beta.0.20250808064055-21c5ce42ae13. Upgrade immediately to mitigate the risk.
Upgrade to version 1.0.4-gitspaces-beta.0.20250808064055-21c5ce42ae13 or later. Review release notes for breaking changes and plan a rollback strategy.
As of 2025-09-17, there are no publicly known active exploitation campaigns, but it's crucial to monitor for any emerging threats.
Refer to the official Harness security advisory for detailed information and updates: [https://www.harness.io/security/advisories](https://www.harness.io/security/advisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.