Git LFS Remote Code Execution Threat Intel Advisory


CloudSEK Threat Intelligence Advisory on Git LFS RCE vulnerability, allowing the attacker to exploit target app leading to ACE on the victim.
Git <= 2.29.2
Git is an open source version control system that manages very small to complex software projects and plays a significant role in the development and operations (DevOps) pipeline. Git-LFS (Large File Storage) is a free extension that allows the versioning of extremely large files by storing the contents on a remote server like Enterprise. All Git versions come with vulnerable LFS extensions, hence an attacker can exploit the target application leading to arbitrary code execution on the victim host system. The victim downloads the repository controlled by the attacker, hosted on github to trigger RCE, where the attacker includes malicious “git” executable in their repository to get command execution on the victim. This “git” executable contains the malicious payload. The malicious git can have the following extensions:
  • git.bat
  • git.exe
  • git.vbs
  • git.cmd
Vulnerable code in the LFS extension does not use the full path of the “git” executable on the system while executing commands. As a result, the git binary is loaded from the current directory which is very dangerous as the executable can be controlled by the attacker. When an attacker-controlled repository is cloned to the victim's computer, the LFS extension will execute the malicious git executable (which is present in the attacker’s repository) without user intervention. Now the attacker gains command execution (in the security context of the victim) on the remote victim computer.[/vc_wp_text][vc_wp_text]


Technical Impact
  • Privilege escalation and owning of the target system to take complete control of the victim
  • Data exfiltration and lateral movement to compromise domain controller/ network
  • Malware deployment to further the attack deeper into the network
Business Impact 
  • Compromising the production code, making proprietary code public by posting it on dark web forums
  • Leakage of critical product information and planning data
  • Increased cost due to delays in development pipeline
  • Attackers install backdoor in ongoing projects leading to cascading issues and subsequent loss of reputation


The vendor has updated the latest version of the binaries with required patches to solve the issue, which can be found here:

Table of Contents

Request an easy and customized demo for free