CVE-2025-26625

CVE-2025-26625 is a high-severity security vulnerability in github.com/git-lfs/git-lfs (go), affecting versions >= 0.5.2, <= 3.7.0. It is fixed in 3.7.1.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Git LFS may write to arbitrary files via crafted symlinks

Workarounds

Support for symlinks in Git may be disabled by setting the core.symlinks configuration option to false, after which further clones and fetches will not create symbolic links. However, any symbolic or hard links in existing repositories will still provide the opportunity for Git LFS to write to their targets.

References

For more information

If there are any questions or comments about this advisory:

Impact

When populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS.

Git LFS has resolved this problem by revising the git lfs checkout and git lfs pull commands so that they check for symbolic links in the same manner as performed by Git before writing to files in the working tree. These commands now also remove existing files in the working tree before writing new files in their place.

As well, Git LFS has resolved a problem whereby the git lfs checkout and git lfs pull commands, when run in a bare repository, could write to files visible outside the repository. While a specific and relatively unlikely set of conditions were required for this to occur, it is no longer possible under any circumstances.

Affected versions

github.com/git-lfs/git-lfs (>= 0.5.2, <= 3.7.0)

Security releases

github.com/git-lfs/git-lfs → 3.7.1 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

This problem exists in all versions since 0.5.2 and is patched in v3.7.1. All users should upgrade to v3.7.1.

Frequently Asked Questions

  1. What is CVE-2025-26625? CVE-2025-26625 is a high-severity security vulnerability in github.com/git-lfs/git-lfs (go), affecting versions >= 0.5.2, <= 3.7.0. It is fixed in 3.7.1.
  2. Which versions of github.com/git-lfs/git-lfs are affected by CVE-2025-26625? github.com/git-lfs/git-lfs (go) versions >= 0.5.2, <= 3.7.0 is affected.
  3. Is there a fix for CVE-2025-26625? Yes. CVE-2025-26625 is fixed in 3.7.1. Upgrade to this version or later.
  4. Is CVE-2025-26625 exploitable, and should I be worried? Whether CVE-2025-26625 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2025-26625 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2025-26625? Upgrade github.com/git-lfs/git-lfs to 3.7.1 or later.

Other vulnerabilities in github.com/git-lfs/git-lfs

Stop the waste.
Protect your environment with Kodem.