Git Large File Storage Remote Code Execution Vulnerability on Windows systems (CVE-2020-27955)


Git is a free and open-source distributed version control system designed to handle everything from small to very large projects with speed and efficiency.

A critical vulnerability was reported in the Git framework in Git Large File Storage (LFS). With this vulnerability, Windows-system victims are tricked into cloning the attacker’s malicious repository using a vulnerable Git version control tool. Dawid Golunski,a security researcher, discovered this loophole in the Git framework.

Datasets, audio, video, graphics and other such files are considered as Large Files. These files can be stored on a remote server handled by or GitHub Enterprise. Through the malicious repository developed by nefarious actors, attackers can implant a backdoor in the root directory of malicious repositories by adding executables such as git.bat, git.exe, git.cmd, git.vbs etc.

Windows users using vulnerable versions of Git download the malicious repository and as a result get tricked into executing the malicious executables rather than the original trusted git binary. This causes RCE. A POC for the same was disclosed in a video.

According to the POC, an exploit may be prepared with the following steps for a Windows system:

  1. Open PowerShell.
  2. Create a file named git.bat with the following contents:


echo “git.bat executed, vulnerable”  > exploited

  1. Run the command:

git-lfs track

If the system has a vulnerable git-lfs version installed, ‘exploited’ file gets created in the current directory.

Image Source: ExploitBox

For Windows users, the system gets fully compromised without the knowledge of victims and an attacker can exploit to execute arbitrary commands remotely.

Affected Git Versions

– Git prior or equal to 2.29.2 on Windows systems

– GitHub CLI (gh)

– GitHub Desktop

– SmartGit

– SourceTree

– Visual Studio Code

– GitKraken


The latest git release which contains the patched version of
git-lfs may be installed.

Qualys Detection

Qualys customers can scan their network with QID 373988 to detect vulnerable assets. Kindly continue to follow Qualys Threat Protection for more coverage on these vulnerabilities.


Leave a Reply

Your email address will not be published. Required fields are marked *