Debian git-lfs Moderate File Oversight Advisory DLA-4610-1 CVE-2025-26625
debian lts
May 31, 2026
In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands could write to files visible...
Topics Covered
Summary
The git lfs checkout and git lfs pull commands did not check for symbolic
links before writing to files in the working tree, which allowed an attacker
to craft a repository containing symbolic or hard links that caused Git LFS
to write to arbitrary file system locations accessible to the user running
these commands.
Also, when the git lfs checkout and git lfs pull commands were run in a bare
repository, they could write to files visible outside the repository.
The complete fix to this issue, specifically the behaviour of git lfs pull,
requires a newer Git version, 2.42.0 or newer.
As a workaround, support for symlinks in Git may be disabled by setting the
core.symlinks configuration option to false, after which further clones and
fetches will not create symbolic links. However, any symbolic or hard links
in existing repositories will still provide the opportunity for Git LFS to
write to their targets.
For Debian 11 bullseye, this problem has been partially fixed in version
PREVIOUS 
NEXT Severity
moderate
Lowest
Low
Medium
High
Critical
Package: git-lfs
Version: 2.13.2-1+deb11u2
CVE ID: CVE-2025-26625
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!