Main Vulnerability Database Vulnerabilities #VU118253

#VU118253 Link following in git-lfs - CVE-2025-26625

Published: November 11, 2025

Vulnerability identifier: #VU118253

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2025-26625

CWE-ID: CWE-59

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
git-lfs

Software vendor:
Git LFS

Description

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to an insecure link following issue. When populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. A remote attacker can write arbitrary files using crafted links, leading to remote code execution.

Remediation

Install updates from vendor's website.

External links

https://github.com/git-lfs/git-lfs/security/advisories/GHSA-6pvw-g552-53c5

#VU118253 Link following in git-lfs - CVE-2025-26625

Description

Remediation

External links

Please verify you're human