SB2026012789 - Ubuntu update for git-lfs 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026012789

SB2026012789 - Ubuntu update for git-lfs

Published: January 27, 2026

Security Bulletin ID SB2026012789
Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 50% Medium 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2024-53263)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of CR/LF characters in URLs. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the git-credential(1) command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host A remote attacker can pass specially crafted URL to the application and obtain credentials.


2) Link following (CVE-ID: CVE-2025-26625)

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to an insecure link following issue. When populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. A remote attacker can write arbitrary files using crafted links, leading to remote code execution. 


Remediation

Install update from vendor's website.

References