Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
OneDev is a Git server with CI/CD, kanban, and packages. Prior to 15.0.2, there is behavior that breaks the expected boundary between repository-controlled LFS metadata and server-local filesystem paths. A repository object can steer raw blob reads to arbitrary local files that the server account can access. User with push permission to any repository will be able to access any server files accessible by server process. This vulnerability is fixed in 15.0.2.
AnalysisAI
Path traversal in OneDev Git server allows authenticated users with repository push permissions to read arbitrary files accessible to the server process. The vulnerability exploits improper validation of repository-controlled LFS (Large File Storage) metadata to break expected path boundaries, enabling file reads outside intended repository storage. A vendor-released patch is available in version 15.0.2. CVSS 7.1 reflects high confidentiality impact via network-based attack with low complexity requiring only low-privilege authentication.
Technical ContextAI
OneDev is a self-hosted Git server with integrated CI/CD, kanban boards, and package management capabilities. This vulnerability affects the Git LFS (Large File Storage) implementation, which uses pointer files in the repository to reference large binary objects stored separately on the server. The CWE-22 path traversal flaw occurs when OneDev processes LFS metadata files that repositories control - the server fails to properly sanitize or validate file paths embedded in these metadata structures before using them for filesystem operations. This allows repository-controlled data to escape its expected storage boundary and direct the server to read arbitrary local files. The CVSS 4.0 vector confirms network attack vector (AV:N) with low complexity (AC:L) requiring low privileges (PR:L), resulting in high confidentiality impact (VC:H) with no integrity or availability impact.
RemediationAI
Upgrade to OneDev version 15.0.2 or later, which contains the vendor-released patch addressing the LFS metadata path validation issue. The fix is available through the project's GitHub releases at https://github.com/theonedev/onedev. Organizations unable to immediately upgrade should implement compensating controls: restrict repository push permissions to only fully trusted users (conduct access review); enable audit logging for all LFS operations to detect potential exploitation attempts; run the OneDev server process with minimal filesystem permissions using principle of least privilege, restricting access to sensitive directories via OS-level access controls or containerization; consider filesystem isolation through chroot jails or containers to limit blast radius of arbitrary file reads. Note that restricting LFS functionality entirely may break legitimate large file workflows. Review server logs for unusual LFS metadata operations or file access patterns to non-repository paths as potential indicators of exploitation attempts.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30478