cvedb.io
CVE-2022-24826
CRITICAL · CVSS 9.8
EPSS exploitation probability: 0%
Published 2022-04-20T00:16:50.903 · Last modified 2026-06-17T04:32:36.373

Summary

On Windows, if Git LFS operates on a malicious repository with a `..exe` file as well as a file named `git.exe`, and `git.exe` is not found in `PATH`, the `..exe` program will be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. Similarly, if the malicious repository contains files named `..exe` and `cygpath.exe`, and `cygpath.exe` is not found in `PATH`, the `..exe` program will be executed when certain Git LFS commands are run. More generally, if the current working directory contains any file with a base name of `.` and a file extension from `PATHEXT` (except `.bat` and `.cmd`), and also contains another file with the same base name as a program Git LFS intends to execute (such as `git`, `cygpath`, or `uname`) and any file extension from `PA

Affected products

git_large_file_storage_project — git_large_file_storage

Does this affect you?

Add your gear to cvedb and we'll alert you only when git_large_file_storage_project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.