CVE-2020-27955
Description
Git LFS 2.12.0 allows Remote Code Execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/git-lfs/git-lfsGo | < 2.12.1 | 2.12.1 |
Affected products
2- osv-coords2 versions
>= 2.12.0, < 2.12.1+ 1 more
- (no CPE)range: >= 2.12.0, < 2.12.1
- (no CPE)range: < 2.12.1
Patches
Vulnerability mechanics
Root cause
"Git LFS calls exec.Command("git", ...) without a full path to the git binary, allowing an attacker-controlled executable in the current directory to be executed instead."
Attack vector
An attacker creates a malicious repository containing an executable file named `git.bat`, `git.exe`, or `git.cmd` (or any other executable extension) placed in a directory that will be searched before the real `git` binary. When a victim on Windows clones this repository using a tool that invokes Git LFS (such as `git`, GitHub CLI, GitHub Desktop, or SourceTree), Git LFS calls `ExecCommand("git", ...)` which resolves to the attacker's planted executable instead of the system `git` binary due to the uncontrolled search path [CWE-427] [ref_id=1]. This allows arbitrary code execution on the victim's system.
Affected code
The vulnerability resides in `subprocess/subprocess_windows.go` within the `ExecCommand()` function. This function calls `exec.Command(name, arg...)` without specifying a full path to the `git` binary, relying on Windows' search path resolution instead [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the remediation guidance is clear: Git LFS must specify the full absolute path to the `git` binary when spawning subprocesses, rather than relying on the system's search path [ref_id=1]. By using a fully qualified path, the `exec.Command()` call would no longer be susceptible to a planted `git.bat`/`git.exe` in the current directory or anywhere else in the search order that an attacker can control [CWE-427].
Preconditions
- osVictim must be running on a Windows operating system where exec.Command includes the current directory in the search path
- inputVictim must clone a malicious repository using a tool that invokes Git LFS (e.g., git, GitHub CLI, GitHub Desktop, SourceTree)
- inputAttacker must include an executable named git.bat, git.exe, or git.cmd in the repository at a location that will be resolved before the real git binary
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-4g4p-42wc-9f3mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-27955ghsaADVISORY
- packetstormsecurity.com/files/159923/git-lfs-Remote-Code-Execution.htmlmitrex_refsource_MISC
- packetstormsecurity.com/files/164180/Git-git-lfs-Remote-Code-Execution.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2020/Nov/1ghsamailing-listx_refsource_FULLDISCWEB
- exploitbox.iomitrex_refsource_MISC
- github.com/git-lfs/git-lfs/releasesghsax_refsource_MISCWEB
- github.com/git-lfs/git-lfs/security/advisories/GHSA-4g4p-42wc-9f3mghsaWEB
- legalhackers.commitrex_refsource_MISC
- legalhackers.com/advisories/Git-LFS-RCE-Exploit-CVE-2020-27955.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.