CVE-2025-26625
published 2025-10-17CVE-2025-26625: Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the…
PriorityP354high8.6CVSS 4.0
AVNACLATNPRNUIPVCHVIHVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.71%
48.8th percentile
Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. The git lfs checkout and git lfs pull commands do not check for symbolic links before writing to files in the working tree, allowing an attacker to craft a repository containing symbolic or hard links that cause Git LFS to write to arbitrary file system locations accessible to the user running these commands. As well, when the git lfs checkout and git lfs pull commands are run in a bare repository, they could write to files visible outside the repository. The vulnerability is fixed in version 3.7.1. As a workaround, support for symlinks in Git may be disabled by setting the core.symlinks configuration option to false, after which further clones and fetches will not create symbolic links. However, any symbolic or hard links in existing repositories will still provide the opportunity for Git LFS to write to their targets.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | git-lfs | < git-lfs 3.7.1-1 (forky) | git-lfs 3.7.1-1 (forky) |
| git-lfs | git-lfs | — | — |
| git-lfs | git-lfs | >= 0 < 3.7.1-1 | 3.7.1-1 |
| git-lfs | git-lfs | >= 0 < 3.6.1-1ubuntu0.1 | 3.6.1-1ubuntu0.1 |
| git-lfs | git-lfs | >= 0 < 2.3.4-1ubuntu0.1~esm1 | 2.3.4-1ubuntu0.1~esm1 |
| git-lfs | git-lfs | >= 0 < 2.9.2-1ubuntu0.1~esm2 | 2.9.2-1ubuntu0.1~esm2 |
| git-lfs | git-lfs | >= 0 < 3.0.2-1ubuntu0.3+esm2 | 3.0.2-1ubuntu0.3+esm2 |
| git-lfs | git-lfs | >= 0 < 3.4.1-1ubuntu0.3+esm2 | 3.4.1-1ubuntu0.3+esm2 |
| github.com | git-lfs_git-lfs | >= 0.5.2 < 3.7.1 | 3.7.1 |
| github.com | git-lfs_git-lfs | >= 0.5.2 | — |
| github.com | git-lfs_git-lfs_v3 | >= 0 < 3.7.1 | 3.7.1 |
CVSS provenance
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa8.6HIGH
osv8.6HIGH
vendor_debian8.6HIGH
vendor_redhat8.6HIGH
vendor_ubuntu8.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Git LFS vulnerabilities
vendor_ubuntu·2026-01-26·CVSS 8.5
CVE-2024-53263 [HIGH] Git LFS vulnerabilities
Title: Git LFS vulnerabilities
Summary: Several security issues were fixed in Git LFS.
Ryota K discovered that Git LFS may leak login credentials in certain
instances due to failing to check for URL-encoded characters. An
attacker could possibly use this issue to learn sensitive information.
(CVE-2024-53263)
It was discovered that Git LFS could have its git lfs checkout and
git lfs pull commands abused to write to any file on a user's
system. An attacker could possibly use this issue to execute arbitrary
code. This issue was only addressed in Ubuntu 24.04 LTS and
Ubuntu 25.10. (CVE-2025-26625)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
git-lfs: Git LFS may write to arbitrary files via crafted symlinks
vendor_redhat·2025-10-17·CVSS 8.6
CVE-2025-26625 [HIGH] CWE-59 git-lfs: Git LFS may write to arbitrary files via crafted symlinks
git-lfs: Git LFS may write to arbitrary files via crafted symlinks
Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. The git lfs checkout and git lfs pull commands do not check for symbolic links before writing to files in the working tree, allowing an attacker to craft a repository containing symbolic or hard links that cause Git LFS to write to arbitrary file system locations accessible to the user running these commands. As well, when the git lfs checkout and git lfs pull commands
Debian
CVE-2025-26625: git-lfs - Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2...
vendor_debian·2025·CVSS 8.6
CVE-2025-26625 [HIGH] CVE-2025-26625: git-lfs - Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2...
Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. The git lfs checkout and git lfs pull commands do not check for symbolic links before writing to files in the working tree, allowing an attacker to craft a repository containing symbolic or hard links that cause Git LFS to write to arbitrary file system locations accessible to the user running these commands. As well, when the git lfs checkout and git lfs pull commands are run in a bare repository, they could write to files visible out
OSV
git-lfs vulnerabilities
osv·2026-01-26·CVSS 8.5
CVE-2024-53263 [HIGH] git-lfs vulnerabilities
git-lfs vulnerabilities
Ryota K discovered that Git LFS may leak login credentials in certain
instances due to failing to check for URL-encoded characters. An
attacker could possibly use this issue to learn sensitive information.
(CVE-2024-53263)
It was discovered that Git LFS could have its git lfs checkout and
git lfs pull commands abused to write to any file on a user's
system. An attacker could possibly use this issue to execute arbitrary
code. This issue was only addressed in Ubuntu 24.04 LTS and
Ubuntu 25.10. (CVE-2025-26625)
OSV
Git LFS may write to arbitrary files via crafted symlinks in github.com/git-lfs/git-lfs
osv·2025-10-30
CVE-2025-26625 Git LFS may write to arbitrary files via crafted symlinks in github.com/git-lfs/git-lfs
Git LFS may write to arbitrary files via crafted symlinks in github.com/git-lfs/git-lfs
Git LFS may write to arbitrary files via crafted symlinks in github.com/git-lfs/git-lfs
OSV
CVE-2025-26625: Git LFS is a Git extension for versioning large files
osv·2025-10-17·CVSS 8.6
CVE-2025-26625 [HIGH] CVE-2025-26625: Git LFS is a Git extension for versioning large files
Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. The git lfs checkout and git lfs pull commands do not check for symbolic links before writing to files in the working tree, allowing an attacker to craft a repository containing symbolic or hard links that cause Git LFS to write to arbitrary file system locations accessible to the user running these commands. As well, when the git lfs checkout and git lfs pull commands are run in a bare repository, they could write to files visible out
OSV
Git LFS may write to arbitrary files via crafted symlinks
osv·2025-10-17·CVSS 8.6
CVE-2025-26625 [HIGH] Git LFS may write to arbitrary files via crafted symlinks
Git LFS may write to arbitrary files via crafted symlinks
### Impact
When populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS.
Git LFS has resolved this problem by revising the `git lfs checkout` and `git lfs pull` commands so that they check for symbolic links in the same manner as performed by Git before writing to files in the working tree. These commands now also remove existing files in the working tree before writing new files in their place.
As well, Git LFS has resolved a problem whereby the `git lfs checkout` and `git lfs pull` commands, when run in a bare repository, could
GHSA
Git LFS may write to arbitrary files via crafted symlinks
ghsa·2025-10-17·CVSS 8.6
CVE-2025-26625 [HIGH] CWE-59 Git LFS may write to arbitrary files via crafted symlinks
Git LFS may write to arbitrary files via crafted symlinks
### Impact
When populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS.
Git LFS has resolved this problem by revising the `git lfs checkout` and `git lfs pull` commands so that they check for symbolic links in the same manner as performed by Git before writing to files in the working tree. These commands now also remove existing files in the working tree before writing new files in their place.
As well, Git LFS has resolved a problem whereby the `git lfs checkout` and `git lfs pull` commands, when run in a bare repository, could
No detection rules found.
No public exploits indexed.
https://github.com/git-lfs/git-lfs/commit/0cffe93176b870055c9dadbb3cc9a4a440e98396https://github.com/git-lfs/git-lfs/commit/5c11ffce9a4f095ff356bc781e2a031abb46c1a8https://github.com/git-lfs/git-lfs/commit/d02bd13f02ef76f6807581cd6b34709069cb3615https://github.com/git-lfs/git-lfs/releases/tag/v3.7.1https://github.com/git-lfs/git-lfs/security/advisories/GHSA-6pvw-g552-53c5https://lists.debian.org/debian-lts-announce/2026/05/msg00055.html
2025-10-17
Published