Github.Com Git-Lfs Git-Lfs V3 vulnerabilities
3 known vulnerabilities affecting github.com/git-lfs_git-lfs_v3.
Total CVEs
3
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH1UNKNOWN1
Vulnerabilities
Page 1 of 1
CVE-2025-26625P3UNKNOWN≥ 0, < 3.7.12025-10-30
CVE-2025-26625 Git LFS may write to arbitrary files via crafted symlinks in github.com/git-lfs/git-lfs
Git LFS may write to arbitrary files via crafted symlinks in github.com/git-lfs/git-lfs
Git LFS may write to arbitrary files via crafted symlinks in github.com/git-lfs/git-lfs
osv
CVE-2024-53263P3HIGHCVSS 8.5≥ 3.0.0, < 3.6.12025-01-14
CVE-2024-53263 [HIGH] CWE-436 Git LFS permits exfiltration of credentials via crafted HTTP URLs
Git LFS permits exfiltration of credentials via crafted HTTP URLs
### Impact
When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded contr
ghsaosv
CVE-2022-24826P3CRITICAL≥ 3.0.0, < 3.1.32022-04-22
CVE-2022-24826 [CRITICAL] CWE-426 Git LFS can execute a binary from the current directory on Windows
Git LFS can execute a binary from the current directory on Windows
### Impact
On Windows, if Git LFS operates on a malicious repository with a `..exe` file as well as a file named `git.exe`, and `git.exe` is not found in `PATH`, the `..exe` program will be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems.
Similarly, if the malicious repository conta
ghsaosv