Critical RCE Vulnerability on Git- Large File System Extension

Security researcher "Dawid Golunski" had discovered critical remote code execution bug on Git LFS, - an open source Git extension for versioning large files. 

Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file ontents on a remote server like or GitHub Enterprise."

Git LFS (git-lfs) version 2.12 and lower had  a vulnerability that allows remote attackers to execute arbitrary code on the victim's Windows system if the victim simply clones the attacker's repository using common git version  control tools which make use of git-lfs subsystem. Currently bug is tracked as CVE-2020-27955, where attackers may be able to plant a backdoor in the root directory of a malicious repository by simply adding an executable file named as follows:-

- git.bat, - git.exe, - git.cmd,- git.vbs
or any other executable extension available on the target Windows system.


CVE-2020-27955 Victims

Researcher mentioned that applications using Git with unpatched Git LFS (git-lfs) <= 2.12 on Windows systems like - Git for Windows - GitHub CLI (gh), - GitHub Desktop, - SmartGit, - SourceTree, Visual Studio Code, - GitKraken have been confirmed to be exploitable in their default configuration / installation. Furthermore, he also mentioned some of the other popular clients / development IDEs are deemed to be affected as well as most clients IDEs install git with git-lfs extension by default. Clients are- 

Eclipse, fork, tig, GitExtensions, Magit, TortoiseGit, gmaster, GitAhead, Sublime Merge, Visual Studio, GitAtomic, Tower, git-cola.

Impact of CVE-2020-27955 

 The vulnerability is categorised as critical severity because it lead to a full compromise of the victim's system as attackers can execute arbitrary commands remotely without the knowledge of the victim.  So it is highly recommended  that users and product vendors should update to the latest git-lfs version as soon as possible as the vulnerability is trivial to exploit.

CVE-2020-27955 POC

Researcher had published the POC code along with the POC video after reporting the issue to git-lfs vendor who issued a patched release on the official website. 


Post a comment (0)
Previous Post Next Post