CVE-2022-24826: 
Git LFS vulnerability analysis and mitigation

On Windows, Git LFS versions 2.12.1 through 3.1.2 contain a vulnerability that allows arbitrary code execution when operating on a malicious repository. The vulnerability was discovered and disclosed in April 2022, affecting the Git Large File Storage (LFS) extension (GitHub Advisory, NVD).

The vulnerability occurs when Git LFS detects that a program it intends to run does not exist in any directory listed in PATH. In this case, Git LFS passes an empty string as the executable file path to the Go os/exec package. On Windows, this package contains a bug where it prepends the current working directory (.) to the empty string without adding a path separator. This causes it to search for and execute files with base name . combined with any extension from PATHEXT in the current directory. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (GitHub Advisory).

An attacker can exploit this vulnerability by creating a malicious repository containing a ..exe file along with a file named git.exe (or similar combinations). When Git LFS operates on this repository and cannot find the intended program in PATH, it will execute the malicious ..exe file instead, allowing arbitrary code execution. This vulnerability only affects Windows systems (GitHub Advisory).

The vulnerability has been patched in Git LFS version 3.1.3. Users of affected versions should upgrade to version 3.1.3 or later. The fix ensures that Git LFS always reports an error when a program is not found in PATH rather than passing an empty string to the Go os/exec package. There are no known workarounds for this vulnerability (GitHub Advisory).