CVE-2025-26625

CVSS v2.0

9.4

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:N

Name of the Vulnerable Software and Affected Versions Git LFS versions 0.5.2 through 3.7.0

Description Git LFS commands, specifically git lfs checkout and git lfs pull, may write to files outside the intended Git working tree if symbolic or hard links are present that conflict with paths tracked by Git LFS. This occurs because these commands do not initially check for symbolic links before writing files. This issue also affected bare repositories, allowing writes to files outside the repository. The issue is addressed by revising the git lfs checkout and git lfs pull commands to check for symbolic links and remove existing files before writing new ones.

Recommendations Update to Git LFS version 3.7.1 or later. As a workaround, disable symlink support in Git by setting the core.symlinks configuration option to false. However, note that existing symbolic or hard links in repositories may still allow Git LFS to write to their targets.

Exploit

Fix

DoS

Link Following

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-59CWE-158

Related Identifiers

ALSA-2025:23667

ALSA-2025:23744

ALSA-2025:23745

BDU:2025-12566

BDU:2025-13253

BIT-GIT-LFS-2025-26625

CVE-2025-26625

ECHO-B5A4-EC2D-5F68

GHSA-6PVW-G552-53C5

GO-2025-4038

OPENSUSE-SU-2025:15643-1

OPENSUSE-SU-2025:15710-1

RHSA-2025:23667

RHSA-2025:23744

RHSA-2025:23745

RHSA-2026:0199

RHSA-2026:0203

RHSA-2026:0204

RHSA-2026:0224

RHSA-2026:0459

RHSA-2026:0460

RHSA-2026:0465

RHSA-2026:0472

USN-7977-1

Affected Products

Almalinux

Centos

Debian

Git Lfs

Linuxmint

Red Hat

Red Os

Rocky Linux

Ubuntu

CVE-2025-26625

Weakness Enumeration

Related Identifiers

Affected Products

References · 135