{"id":"GO-2025-4038","summary":"Git LFS may write to arbitrary files via crafted symlinks in github.com/git-lfs/git-lfs","details":"Git LFS may write to arbitrary files via crafted symlinks in github.com/git-lfs/git-lfs","aliases":["BIT-git-lfs-2025-26625","CVE-2025-26625","GHSA-6pvw-g552-53c5"],"modified":"2026-05-10T18:41:17.262894850Z","published":"2025-10-30T15:02:47Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2025-4038","review_status":"REVIEWED"},"references":[{"type":"ADVISORY","url":"https://github.com/git-lfs/git-lfs/security/advisories/GHSA-6pvw-g552-53c5"},{"type":"FIX","url":"https://github.com/git-lfs/git-lfs/commit/0cffe93176b870055c9dadbb3cc9a4a440e98396"},{"type":"FIX","url":"https://github.com/git-lfs/git-lfs/commit/5c11ffce9a4f095ff356bc781e2a031abb46c1a8"},{"type":"FIX","url":"https://github.com/git-lfs/git-lfs/commit/d02bd13f02ef76f6807581cd6b34709069cb3615"},{"type":"WEB","url":"https://github.com/git-lfs/git-lfs/releases/tag/v3.7.1"}],"affected":[{"package":{"name":"github.com/git-lfs/git-lfs","ecosystem":"Go","purl":"pkg:golang/github.com/git-lfs/git-lfs"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.5.2"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2025-4038.json"}},{"package":{"name":"github.com/git-lfs/git-lfs/v3","ecosystem":"Go","purl":"pkg:golang/github.com/git-lfs/git-lfs/v3"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"3.7.1"}]}],"ecosystem_specific":{"imports":[{"symbols":["checkoutCommand","checkoutConflict","newSingleCheckout","singleCheckout.Run"],"path":"github.com/git-lfs/git-lfs/v3/commands"},{"symbols":["GitFilter.SmudgeToFile"],"path":"github.com/git-lfs/git-lfs/v3/lfs"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2025-4038.json"}}],"schema_version":"1.7.5"}