Plateforme
go
Composant
github.com/harness/gitness
Corrigé dans
3.3.1
3.3.0
1.0.4-gitspaces-beta.0.20250808064055-21c5ce42ae13
CVE-2025-58158 describes an Arbitrary File Access vulnerability discovered in Harness Gitness, a Git repository management platform. This flaw allows an attacker to write arbitrary files on the server, potentially leading to severe consequences such as code execution and complete system compromise. The vulnerability affects versions of Gitness prior to 1.0.4-gitspaces-beta.0.20250808064055-21c5ce42ae13, and a patch has been released to address the issue.
The Arbitrary File Access vulnerability in Harness Gitness poses a significant threat. An attacker could leverage this flaw to upload malicious files, such as web shells, to the server. Successful exploitation could grant the attacker remote code execution capabilities, allowing them to take complete control of the Gitness instance and potentially the underlying infrastructure. The attacker could also modify critical configuration files, leading to data breaches or denial of service. The ability to write arbitrary files bypasses standard security controls, making this a particularly dangerous vulnerability.
CVE-2025-58158 was publicly disclosed on 2025-09-17. As of this date, there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. It is recommended to monitor security advisories and threat intelligence feeds for any signs of active exploitation. This vulnerability is not currently listed on the CISA KEV catalog.
Organizations using Harness Gitness for Git repository management are at risk, particularly those running older, unpatched versions. Shared hosting environments where multiple users have access to the Gitness instance are especially vulnerable, as a compromised user account could be used to exploit this vulnerability.
• go / server: Monitor Gitness logs for unusual file creation events, especially in unexpected directories. Use journalctl -u gittess to filter for file access logs.
• generic web: Check for unexpected files appearing in the Gitness LFS storage directory. Use curl -I <gitness_url>/lfs/ to check for directory listing exposure (disable if present).
• generic web: Review access logs for requests attempting to write files to unusual locations. Use grep -i 'PUT /lfs/' /var/log/apache2/access.log (adjust path as needed).
disclosure
Statut de l'Exploit
EPSS
0.10% (percentile 27%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-58158 is to immediately upgrade to version 1.0.4-gitspaces-beta.0.20250808064055-21c5ce42ae13 or later. Before upgrading, it is crucial to review the release notes for any breaking changes and plan a rollback strategy if necessary. While a direct workaround isn't available, restricting file write permissions on the Gitness server can reduce the potential impact. Implement robust input validation and sanitization to prevent malicious file uploads. Monitor Gitness logs for any suspicious file creation or modification activities.
Actualice Harness a la versión 3.3.0 o superior. Esta versión contiene una corrección para la vulnerabilidad de escritura arbitraria de archivos en el servidor Gitness LFS. La actualización evitará que usuarios maliciosos escriban archivos en ubicaciones no autorizadas del sistema.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-58158 is a HIGH severity vulnerability in Harness Gitness that allows an attacker to write arbitrary files, potentially leading to code execution and system compromise. It affects versions before 1.0.4-gitspaces-beta.0.20250808064055-21c5ce42ae13.
You are affected if you are using Harness Gitness versions prior to 1.0.4-gitspaces-beta.0.20250808064055-21c5ce42ae13. Upgrade immediately to mitigate the risk.
Upgrade to version 1.0.4-gitspaces-beta.0.20250808064055-21c5ce42ae13 or later. Review release notes for breaking changes and plan a rollback strategy.
As of 2025-09-17, there are no publicly known active exploitation campaigns, but it's crucial to monitor for any emerging threats.
Refer to the official Harness security advisory for detailed information and updates: [https://www.harness.io/security/advisories](https://www.harness.io/security/advisories)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier go.mod et nous te dirons instantanément si tu es affecté.