CVE-2025-26625: 
Git LFS vulnerability analysis and mitigation

Git LFS (Git Large File Storage) versions 0.5.2 through 3.7.0 contain a vulnerability (CVE-2025-26625) where the git lfs checkout and git lfs pull commands do not properly check for symbolic links before writing to files in the working tree. This vulnerability was discovered and disclosed on October 17, 2025, affecting all Git LFS installations since version 0.5.2 (GitHub Advisory, NVD).

The vulnerability stems from improper link resolution before file access, classified as CWE-59. When populating a Git repository's working tree with Git LFS objects, certain commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. The vulnerability has received a CVSS v4.0 score of 8.6 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N (GitHub Advisory).

When exploited, this vulnerability could allow an attacker to craft a repository containing symbolic or hard links that cause Git LFS to write to arbitrary file system locations accessible to the user running these commands. Additionally, when git lfs checkout and git lfs pull commands are run in a bare repository, they could write to files visible outside the repository (Miggo).

The vulnerability has been patched in Git LFS version 3.7.1. As a workaround, users can disable support for symlinks in Git by setting the core.symlinks configuration option to false, which will prevent further clones and fetches from creating symbolic links. However, existing symbolic or hard links in repositories will still present a potential risk. All users are strongly advised to upgrade to version 3.7.1 (GitHub Advisory).