CVE-2025-58158: 
vulnerability analysis and mitigation

CVE-2025-58158 affects Harness Open Source, an end-to-end developer platform, specifically its Git LFS server (Gitness) component. The vulnerability was discovered and disclosed on August 29, 2025, impacting all versions prior to 3.3.0. The flaw exists in the implementation of the upload Git LFS file API, which exposes the system to arbitrary file write attacks due to improper path sanitization (GitHub Advisory, Security Online).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The core issue lies in the improper sanitization of upload paths in the Git LFS file upload API. The vulnerability is classified under CWE-73 (External Control of File Name or Path) and CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (GitHub Advisory).

The vulnerability allows authenticated users with access to the Harness Gitness server API to write arbitrary files to any location on the file system. This could lead to server compromise through overwriting critical binaries or configuration files, privilege escalation by planting files in sensitive directories, and potential supply chain risks due to the integration with CI/CD pipelines (Security Online).

The vulnerability has been patched in version 3.3.0 of Harness Open Source. Users are strongly advised to upgrade to this version as all previous versions are affected by this vulnerability (GitHub Advisory).