CVE-2022-24826: CWE-426: Untrusted Search Path in git-lfs git-lfs
On Windows, if Git LFS operates on a malicious repository with a `..exe` file as well as a file named `git.exe`, and `git.exe` is not found in `PATH`, the `..exe` program will be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. Similarly, if the malicious repository contains files named `..exe` and `cygpath.exe`, and `cygpath.exe` is not found in `PATH`, the `..exe` program will be executed when certain Git LFS commands are run. More generally, if the current working directory contains any file with a base name of `.` and a file extension from `PATHEXT` (except `.bat` and `.cmd`), and also contains another file with the same base name as a program Git LFS intends to execute (such as `git`, `cygpath`, or `uname`) and any file extension from `PATHEXT` (including `.bat` and `.cmd`), then, on Windows, when Git LFS attempts to execute the intended program the `..exe`, `..com`, etc., file will be executed instead, but only if the intended program is not found in any directory listed in `PATH`. The vulnerability occurs because when Git LFS detects that the program it intends to run does not exist in any directory listed in `PATH` then Git LFS passes an empty string as the executable file path to the Go `os/exec` package, which contains a bug such that, on Windows, it prepends the name of the current working directory (i.e., `.`) to the empty string without adding a path separator, and as a result searches in that directory for a file with the base name `.` combined with any file extension from `PATHEXT`, executing the first one it finds. (The reason `..bat` and `..cmd` files are not executed in the same manner is that, although the Go `os/exec` package tries to execute them just as it does a `..exe` file, the Microsoft Win32 API `CreateProcess()` family of functions have an undocumented feature in that they apparently recognize when a caller is attempting to execute a batch script file and instead run the `cmd.exe` command interpreter, passing the full set of command line arguments as parameters. These are unchanged from the command line arguments set by Git LFS, and as such, the intended program's name is the first, resulting in a command line like `cmd.exe /c git`, which then fails.) Git LFS has resolved this vulnerability by always reporting an error when a program is not found in any directory listed in `PATH` rather than passing an empty string to the Go `os/exec` package in this case. The bug in the Go `os/exec` package has been reported to the Go project and is expected to be patched after this security advisory is published. The problem was introduced in version 2.12.1 and is patched in version 3.1.3. Users of affected versions should upgrade to version 3.1.3. There are currently no known workarounds at this time.
AI Analysis
Technical Summary
CVE-2022-24826 is a medium-severity vulnerability affecting Git Large File Storage (git-lfs) on Windows platforms. The issue arises from an untrusted search path weakness (CWE-426) in the way git-lfs executes external programs when operating within a malicious repository. Specifically, if git-lfs attempts to run an intended executable such as 'git.exe' or 'cygpath.exe' but cannot locate it in any directory listed in the system's PATH environment variable, it passes an empty string as the executable path to the Go 'os/exec' package. Due to a bug in this package on Windows, the empty string is interpreted as the current directory ('.') concatenated with a file extension from the PATHEXT environment variable, causing git-lfs to execute a file named '.' plus an extension (e.g., '..exe') found in the current working directory instead of the intended program. This allows an attacker who controls the repository to place malicious executables with names like '..exe' alongside similarly named files (e.g., 'git.exe') to achieve arbitrary code execution when git-lfs runs certain commands. The vulnerability does not affect Unix-based systems due to differences in path handling. Git-lfs versions from 2.12.1 up to but not including 3.1.3 are vulnerable. The issue was fixed in version 3.1.3 by changing git-lfs to report an error when the intended executable is not found in PATH, avoiding the empty string execution path. The underlying Go 'os/exec' package bug has been reported and is expected to be patched in future Go releases. There are currently no known workarounds other than upgrading. No exploits in the wild have been reported to date. This vulnerability requires that the attacker can supply a malicious repository and that the victim runs git-lfs commands on Windows with a PATH environment that does not include the intended executables, conditions that limit but do not eliminate risk.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to Windows-based development environments or CI/CD pipelines that use git-lfs to manage large files in Git repositories. If an attacker can convince a developer or automated system to clone or operate on a malicious repository containing specially crafted files, they could execute arbitrary code with the privileges of the user running git-lfs. This could lead to compromise of developer workstations, injection of malicious code into software builds, or lateral movement within internal networks. The impact on confidentiality, integrity, and availability depends on the attacker's objectives but could include theft of sensitive source code, insertion of backdoors, or disruption of development processes. Since exploitation requires the absence of the intended executables in PATH, environments with misconfigured or minimal PATH variables are at higher risk. The lack of known exploits in the wild and the requirement for user interaction reduce immediate risk, but the vulnerability remains significant for organizations relying heavily on git-lfs in Windows environments. European organizations with large software development operations, especially those in critical infrastructure, finance, or technology sectors, should prioritize remediation to prevent potential supply chain or insider threats.
Mitigation Recommendations
The primary mitigation is to upgrade all git-lfs installations on Windows to version 3.1.3 or later, which contains the fix for this vulnerability. Additionally, organizations should audit and enforce proper PATH environment configurations to ensure that essential executables like 'git.exe' and 'cygpath.exe' are always resolvable and present in PATH during git-lfs operations. Implement strict repository validation and scanning to detect and block repositories containing suspicious files with names like '..exe' or other unusual extensions that could exploit this vulnerability. Employ endpoint protection solutions that can detect and prevent execution of unauthorized binaries in developer environments. Integrate security awareness training for developers to recognize and avoid cloning or operating on untrusted or suspicious repositories. For CI/CD pipelines, run git-lfs commands in isolated or containerized environments with controlled PATH variables and limited privileges to reduce the impact of potential exploitation. Monitor logs for unusual git-lfs execution behaviors or errors indicating missing executables in PATH, which could signal attempted exploitation. Finally, track updates to the Go runtime to apply patches addressing the underlying os/exec package bug once available.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain, Belgium
CVE-2022-24826: CWE-426: Untrusted Search Path in git-lfs git-lfs
Description
On Windows, if Git LFS operates on a malicious repository with a `..exe` file as well as a file named `git.exe`, and `git.exe` is not found in `PATH`, the `..exe` program will be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. Similarly, if the malicious repository contains files named `..exe` and `cygpath.exe`, and `cygpath.exe` is not found in `PATH`, the `..exe` program will be executed when certain Git LFS commands are run. More generally, if the current working directory contains any file with a base name of `.` and a file extension from `PATHEXT` (except `.bat` and `.cmd`), and also contains another file with the same base name as a program Git LFS intends to execute (such as `git`, `cygpath`, or `uname`) and any file extension from `PATHEXT` (including `.bat` and `.cmd`), then, on Windows, when Git LFS attempts to execute the intended program the `..exe`, `..com`, etc., file will be executed instead, but only if the intended program is not found in any directory listed in `PATH`. The vulnerability occurs because when Git LFS detects that the program it intends to run does not exist in any directory listed in `PATH` then Git LFS passes an empty string as the executable file path to the Go `os/exec` package, which contains a bug such that, on Windows, it prepends the name of the current working directory (i.e., `.`) to the empty string without adding a path separator, and as a result searches in that directory for a file with the base name `.` combined with any file extension from `PATHEXT`, executing the first one it finds. (The reason `..bat` and `..cmd` files are not executed in the same manner is that, although the Go `os/exec` package tries to execute them just as it does a `..exe` file, the Microsoft Win32 API `CreateProcess()` family of functions have an undocumented feature in that they apparently recognize when a caller is attempting to execute a batch script file and instead run the `cmd.exe` command interpreter, passing the full set of command line arguments as parameters. These are unchanged from the command line arguments set by Git LFS, and as such, the intended program's name is the first, resulting in a command line like `cmd.exe /c git`, which then fails.) Git LFS has resolved this vulnerability by always reporting an error when a program is not found in any directory listed in `PATH` rather than passing an empty string to the Go `os/exec` package in this case. The bug in the Go `os/exec` package has been reported to the Go project and is expected to be patched after this security advisory is published. The problem was introduced in version 2.12.1 and is patched in version 3.1.3. Users of affected versions should upgrade to version 3.1.3. There are currently no known workarounds at this time.
AI-Powered Analysis
Technical Analysis
CVE-2022-24826 is a medium-severity vulnerability affecting Git Large File Storage (git-lfs) on Windows platforms. The issue arises from an untrusted search path weakness (CWE-426) in the way git-lfs executes external programs when operating within a malicious repository. Specifically, if git-lfs attempts to run an intended executable such as 'git.exe' or 'cygpath.exe' but cannot locate it in any directory listed in the system's PATH environment variable, it passes an empty string as the executable path to the Go 'os/exec' package. Due to a bug in this package on Windows, the empty string is interpreted as the current directory ('.') concatenated with a file extension from the PATHEXT environment variable, causing git-lfs to execute a file named '.' plus an extension (e.g., '..exe') found in the current working directory instead of the intended program. This allows an attacker who controls the repository to place malicious executables with names like '..exe' alongside similarly named files (e.g., 'git.exe') to achieve arbitrary code execution when git-lfs runs certain commands. The vulnerability does not affect Unix-based systems due to differences in path handling. Git-lfs versions from 2.12.1 up to but not including 3.1.3 are vulnerable. The issue was fixed in version 3.1.3 by changing git-lfs to report an error when the intended executable is not found in PATH, avoiding the empty string execution path. The underlying Go 'os/exec' package bug has been reported and is expected to be patched in future Go releases. There are currently no known workarounds other than upgrading. No exploits in the wild have been reported to date. This vulnerability requires that the attacker can supply a malicious repository and that the victim runs git-lfs commands on Windows with a PATH environment that does not include the intended executables, conditions that limit but do not eliminate risk.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to Windows-based development environments or CI/CD pipelines that use git-lfs to manage large files in Git repositories. If an attacker can convince a developer or automated system to clone or operate on a malicious repository containing specially crafted files, they could execute arbitrary code with the privileges of the user running git-lfs. This could lead to compromise of developer workstations, injection of malicious code into software builds, or lateral movement within internal networks. The impact on confidentiality, integrity, and availability depends on the attacker's objectives but could include theft of sensitive source code, insertion of backdoors, or disruption of development processes. Since exploitation requires the absence of the intended executables in PATH, environments with misconfigured or minimal PATH variables are at higher risk. The lack of known exploits in the wild and the requirement for user interaction reduce immediate risk, but the vulnerability remains significant for organizations relying heavily on git-lfs in Windows environments. European organizations with large software development operations, especially those in critical infrastructure, finance, or technology sectors, should prioritize remediation to prevent potential supply chain or insider threats.
Mitigation Recommendations
The primary mitigation is to upgrade all git-lfs installations on Windows to version 3.1.3 or later, which contains the fix for this vulnerability. Additionally, organizations should audit and enforce proper PATH environment configurations to ensure that essential executables like 'git.exe' and 'cygpath.exe' are always resolvable and present in PATH during git-lfs operations. Implement strict repository validation and scanning to detect and block repositories containing suspicious files with names like '..exe' or other unusual extensions that could exploit this vulnerability. Employ endpoint protection solutions that can detect and prevent execution of unauthorized binaries in developer environments. Integrate security awareness training for developers to recognize and avoid cloning or operating on untrusted or suspicious repositories. For CI/CD pipelines, run git-lfs commands in isolated or containerized environments with controlled PATH variables and limited privileges to reduce the impact of potential exploitation. Monitor logs for unusual git-lfs execution behaviors or errors indicating missing executables in PATH, which could signal attempted exploitation. Finally, track updates to the Go runtime to apply patches addressing the underlying os/exec package bug once available.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-02-10T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9843c4522896dcbf2c2d
Added to database: 5/21/2025, 9:09:23 AM
Last enriched: 6/23/2025, 11:19:56 AM
Last updated: 7/31/2025, 5:03:00 PM
Views: 14
Related Threats
CVE-2025-9097: Improper Export of Android Application Components in Euro Information CIC banque et compte en ligne App
MediumCVE-2025-9096: Cross Site Scripting in ExpressGateway express-gateway
MediumCVE-2025-9095: Cross Site Scripting in ExpressGateway express-gateway
MediumCVE-2025-7342: CWE-798 Use of Hard-coded Credentials in Kubernetes Image Builder
HighCVE-2025-9094: Improper Neutralization of Special Elements Used in a Template Engine in ThingsBoard
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.