VDB
GO-2025-4038
GO-2025-4038
PUBLISHED
Git LFS may write to arbitrary files via crafted symlinks in github.com/git-lfs/git-lfs
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | git-lfs/git-lfs/v3 | 0, 0 |
| github.com | git-lfs/git-lfs | 0.5.2, 0.5.2 |
Timeline
- Oct 30, 2025 CVE Published
- Mar 3, 2026 CVE Updated
References
- https://github.com/git-lfs/git-lfs/security/advisories/GHSA-6pvw-g552-53c5 advisory
- https://github.com/git-lfs/git-lfs/commit/0cffe93176b870055c9dadbb3cc9a4a440e98396 fix
- https://github.com/git-lfs/git-lfs/commit/5c11ffce9a4f095ff356bc781e2a031abb46c1a8 fix
- https://github.com/git-lfs/git-lfs/commit/d02bd13f02ef76f6807581cd6b34709069cb3615 fix
- https://github.com/git-lfs/git-lfs/releases/tag/v3.7.1 fix