cbcvebase.

Github.Com Git-Lfs Git-Lfs vulnerabilities

6 known vulnerabilities affecting github.com/git-lfs_git-lfs.

Total CVEs
6
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH3

Vulnerabilities

Page 1 of 1
CVE-2025-26625P3HIGHCVSS 8.6≥ 0.5.2, < 3.7.12025-10-17
CVE-2025-26625 [HIGH] CWE-59 Git LFS may write to arbitrary files via crafted symlinks Git LFS may write to arbitrary files via crafted symlinks ### Impact When populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. Git LFS has resolved this problem by revising the `git lfs checkout` and `gi
ghsaosv
CVE-2017-17831P3HIGH≥ 0, < 2.1.1-0.20170519163204-f913f5f9c7c62022-05-14
CVE-2017-17831 [HIGH] CWE-20 GitHub Git LFS Arbitrary command execution vulnerability GitHub Git LFS Arbitrary command execution vulnerability GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, located on a `url =` line in a `.lfsconfig` file within a repository. ### Specific Go Packages Affected github.com/git-lfs/git-lfs/lfsapi
ghsaosv
CVE-2024-53263P3HIGHCVSS 8.5≥ 0.1.0, ≤ 3.0.02025-01-14
CVE-2024-53263 [HIGH] CWE-436 Git LFS permits exfiltration of credentials via crafted HTTP URLs Git LFS permits exfiltration of credentials via crafted HTTP URLs ### Impact When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded contr
ghsaosv
CVE-2021-21237P3CRITICALCVSS 9.8≥ 0, < 2.13.22022-02-15
CVE-2021-21237 [CRITICAL] CWE-426 Git LFS can execute a Git binary from the current directory on Windows Git LFS can execute a Git binary from the current directory on Windows ### Impact On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. This is the result of an incomplete fix for CVE-2020-27955. This issue occurs
ghsaosv
CVE-2022-24826P3CRITICAL≥ 2.12.12022-04-22
CVE-2022-24826 [CRITICAL] CWE-426 Git LFS can execute a binary from the current directory on Windows Git LFS can execute a binary from the current directory on Windows ### Impact On Windows, if Git LFS operates on a malicious repository with a `..exe` file as well as a file named `git.exe`, and `git.exe` is not found in `PATH`, the `..exe` program will be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. Similarly, if the malicious repository conta
ghsaosv
CVE-2020-27955CRITICALPoC≥ 0, < 2.12.12022-02-11
CVE-2020-27955 [CRITICAL] CWE-427 Git LFS can execute a Git binary from the current directory Git LFS can execute a Git binary from the current directory ### Impact On Windows, if Git LFS operates on a malicious repository with a `git.bat` or `git.exe` file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. This occurs because on Windows, Go includes (and prefers) the current directory when the name of
ghsaosv
Github.Com Git-Lfs Git-Lfs vulnerabilities | cvebase