CVE-2020-27955

Git LFS on Windows is vulnerable to remote code execution when cloning a malicious repo, due to Go behavior that may execute a current-directory binary (git.bat/git.exe). The issue is a known incomplete fix for CVE-2020-27955 and is discussed across advisories (GHSA-CX3W-XQMC-84G5; GHSA-4G4P-42WC...

CVE-2021-21237

Summary (CVE-2021-21237): Git LFS on Windows is vulnerable to remote code execution when operating on a malicious repository that contains a git.bat or git.exe in the current directory. The Go runtime on Windows includes the current directory for command names without a directory separator, causi...

CVE-2022-24826

Git LFS on Windows is affected by CVE-2022-24826 where, when a malicious repository contains a file with a base name "." and a file extension from PATHEXT and a conflicting executable name (e.g., git.exe, uname, cygpath.exe), Git LFS may cause an attacker-controlled binary in the current director...

CVE-2017-17831

CVE-2017-17831 affects GitHub Git LFS prior to 2.1.1. A remote attacker can trigger arbitrary command execution by supplying an SSH URL whose hostname starts with the dash character, as parsed from a url = line in a repository’s .lfsconfig. This corresponds to a high-severity impact (CVSS v3.0: 8...