Fluid Attacks Database

Description

Git LFS may write to arbitrary files via crafted symlinks in github.com/git-lfs/git-lfs Git LFS may write to arbitrary files via crafted symlinks in github.com/git-lfs/git-lfs

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	git-lfs	=2.13.2-1 \|\| =2.13.2-1+deb11u1 \|\| >=0 <2.13.2-1+deb11u2	2.13.2-1+deb11u2
debian 12	git-lfs	=3.3.0-1 \|\| =3.3.0-1+deb12u1 \|\| =3.4.0-1 \|\| =3.4.1-1 \|\| =3.5.0-1 \|\| =3.5.0-2 \|\| =3.6.1-1 \|\| =3.7.1-1	-
debian 13	git-lfs	=3.6.1-1 \|\| >=0 <3.6.1-1+deb13u1	3.6.1-1+deb13u1
debian 14	git-lfs	=3.6.1-1 \|\| >=0 <3.7.1-1	3.7.1-1
go	github.com/git-lfs/git-lfs/v3	>=0 <3.7.1	3.7.1
go	github.com/git-lfs/git-lfs	>=0.5.2 <3.7.1	3.7.1
rpm rhel9.4	git-lfs	<0:3.4.1-4.el9_4.3	0:3.4.1-4.el9_4.3
rpm rhel9.6	git-lfs	<0:3.6.1-2.el9_6.1	0:3.6.1-2.el9_6.1
rpm rhel10	git-lfs	<0:3.6.1-4.el10_1	0:3.6.1-4.el10_1
rpm rhel10.0	git-lfs	<0:3.6.1-2.el10_0.1	0:3.6.1-2.el10_0.1

1-10 of 15

Aliases

1. CVE-2025-266252. NVD-2025-266253. OSV-DEBIAN-2025-266254. OSV-2025-266255. OSV-GO-2025-40386. GHSA-6pvw-g552-53c57. GCVE-2025-266258. SECURITY-TRACKER-CVE-2025-266259. GHSA-6pvw-g552-53c510. lists.debian.org

References

1. https://github.com/git-lfs/git-lfs/commit/0cffe93176b870055c9dadbb3cc9a4a440e983962. https://github.com/git-lfs/git-lfs/commit/5c11ffce9a4f095ff356bc781e2a031abb46c1a83. https://github.com/git-lfs/git-lfs/commit/d02bd13f02ef76f6807581cd6b34709069cb36154. https://github.com/git-lfs/git-lfs/releases/tag/v3.7.15. https://github.com/git-lfs/git-lfs/security/advisories/GHSA-6pvw-g552-53c56. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26625

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.