CVE-2021-21237— Git LFS can execute a Git binary from the current directory on Windows
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-21237
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Git LFS can execute a Git binary from the current directory on Windows
Source: NVD (National Vulnerability Database)
Vulnerability Description
Git LFS is a command line extension for managing large files with Git. On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. This is the result of an incomplete fix for CVE-2020-27955. This issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator. Other than avoiding untrusted repositories or using a different operating system, there is no workaround. This is fixed in v2.13.2.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
不可信的搜索路径
Source: NVD (National Vulnerability Database)
Vulnerability Title
Git Lfs 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Git Lfs是Git Lfs团队的一个用于git项目中处理大文件的命令行工具。 Git LFS 存在安全漏洞,该漏洞源于允许攻击者执行任意代码。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2021-21237
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2021-21237
请登录查看更多情报信息。
- https://github.com/git-lfs/git-lfs/security/advisories/GHSA-cx3w-xqmc-84g5x_refsource_CONFIRM
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27955x_refsource_MISC
- https://github.com/git-lfs/git-lfs/releases/tag/v2.13.2x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2021-21237
IV. Related Vulnerabilities
Same weakness: CWE-426
- CVE-2026-7309
Openshift-controller-manager: openshift container platform: - CVE-2026-35368
uutils coreutils chroot Local Privilege Escalation and chroo - CVE-2026-35603
Claude Code: Insecure System-Wide Configuration Loading Enab - CVE-2026-40947
Yubico多款产品 安全漏洞 - CVE-2026-27290
Adobe Framemaker | Untrusted Search Path (CWE-426)
V. Comments for CVE-2021-21237
No comments yet