CVE-2025-26625: 
Git LFS vulnerability analysis and mitigation

Git LFS (Large File Storage), a Git extension for versioning large files, has been found to contain a vulnerability (CVE-2025-26625) affecting versions 0.5.2 through 3.7.0. The vulnerability was discovered and disclosed on October 17, 2025, impacting the Git LFS system's file handling mechanisms during checkout and pull operations (GitHub Advisory).

The vulnerability is classified as a high-severity issue with a CVSS v4.0 base score of 8.6. It is identified as CWE-59 (Improper Link Resolution Before File Access) where the git lfs checkout and git lfs pull commands fail to properly check for symbolic links before writing to files in the working tree. The vulnerability allows attackers to craft repositories containing symbolic or hard links that could lead to writes in arbitrary file system locations accessible to the user running these commands. Additionally, when these commands are executed in a bare repository, they could write to files outside the repository scope (NVD, Red Hat).

The vulnerability enables potential attackers to write to arbitrary file system locations that are accessible to the user running the git lfs commands. This could lead to unauthorized file modifications and potential data corruption in locations outside the intended Git working tree. The impact is particularly significant when dealing with bare repositories or when symbolic or hard links are present in the repository structure (GitHub Advisory).

The vulnerability has been patched in Git LFS version 3.7.1. As a temporary workaround, users can disable support for symlinks in Git by setting the core.symlinks configuration option to false using the command 'git config --global core.symlinks false'. However, this workaround only prevents new symbolic links from being created during clones and fetches; existing symbolic or hard links in repositories will still present a potential security risk (GitHub Advisory).