Main Vulnerability Database Vulnerabilities #VU118253

Link following in git-lfs - CVE-2025-26625

Published: November 11, 2025

Vulnerability identifier: #VU118253

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2025-26625

CWE-ID: CWE-59

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Git LFS

Affected software:
git-lfs

Detailed vulnerability description

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to an insecure link following issue. When populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. A remote attacker can write arbitrary files using crafted links, leading to remote code execution.

How to mitigate CVE-2025-26625

Install updates from vendor's website.

Sources

https://github.com/git-lfs/git-lfs/security/advisories/GHSA-6pvw-g552-53c5

Link following in git-lfs - CVE-2025-26625

Detailed vulnerability description

How to mitigate CVE-2025-26625

Sources

Please verify you're human