Git LFS Remote Code Execution Threat Intel Advisory

CloudSEK Threat Intelligence Advisory on Git LFS RCE vulnerability, allowing the attacker to exploit target app leading to ACE on the victim.
Updated on
April 19, 2023
Published on
November 13, 2020
Subscribe to the latest industry news, threats and resources.
Git <= 2.29.2
Git is an open source version control system that manages very small to complex software projects and plays a significant role in the development and operations (DevOps) pipeline. Git-LFS (Large File Storage) is a free extension that allows the versioning of extremely large files by storing the contents on a remote server like Enterprise. All Git versions [ <= 2.29.2] come with vulnerable LFS extensions, hence an attacker can exploit the target application leading to arbitrary code execution on the victim host system. The victim downloads the repository controlled by the attacker, hosted on github to trigger RCE, where the attacker includes malicious “git” executable in their repository to get command execution on the victim. This “git” executable contains the malicious payload. The malicious git can have the following extensions:
  • git.bat
  • git.exe
  • git.vbs
  • git.cmd
Vulnerable code in the LFS extension does not use the full path of the “git” executable on the system while executing commands. As a result, the git binary is loaded from the current directory which is very dangerous as the executable can be controlled by the attacker. When an attacker-controlled repository is cloned to the victim's computer, the LFS extension will execute the malicious git executable (which is present in the attacker’s repository) without user intervention. Now the attacker gains command execution (in the security context of the victim) on the remote victim computer.[/vc_wp_text][vc_wp_text]


Technical Impact
  • Privilege escalation and owning of the target system to take complete control of the victim
  • Data exfiltration and lateral movement to compromise domain controller/ network
  • Malware deployment to further the attack deeper into the network
Business Impact 
  • Compromising the production code, making proprietary code public by posting it on dark web forums
  • Leakage of critical product information and planning data
  • Increased cost due to delays in development pipeline
  • Attackers install backdoor in ongoing projects leading to cascading issues and subsequent loss of reputation


The vendor has updated the latest version of the binaries with required patches to solve the issue, which can be found here:

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations