Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:rpm/redhat/git-lfs@3.6.1-4?arch=el9_7

Type rpm

Namespace redhat

Name git-lfs

Version 3.6.1-4

Qualifiers

arch	el9_7

Subpath

Is_vulnerable true

Next_non_vulnerable_version null

Latest_non_vulnerable_version null

Affected_by_vulnerabilities

url

VCID-nzx9-gyse-2fgh

vulnerability_id

VCID-nzx9-gyse-2fgh

summary

Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. The git lfs checkout and git lfs pull commands do not check for symbolic links before writing to files in the working tree, allowing an attacker to craft a repository containing symbolic or hard links that cause Git LFS to write to arbitrary file system locations accessible to the user running these commands. As well, when the git lfs checkout and git lfs pull commands are run in a bare repository, they could write to files visible outside the repository. The vulnerability is fixed in version 3.7.1. As a workaround, support for symlinks in Git may be disabled by setting the core.symlinks configuration option to false, after which further clones and fetches will not create symbolic links. However, any symbolic or hard links in existing repositories will still provide the opportunity for Git LFS to write to their targets.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-26625.json

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-26625.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-26625

reference_id

reference_type

scores

value	0.00057
scoring_system	epss
scoring_elements	0.18059
published_at	2026-06-06T12:55:00Z

value	0.00057
scoring_system	epss
scoring_elements	0.17946
published_at	2026-06-08T12:55:00Z

value	0.00057
scoring_system	epss
scoring_elements	0.18022
published_at	2026-06-07T12:55:00Z

value	0.0007
scoring_system	epss
scoring_elements	0.2143
published_at	2026-06-09T12:55:00Z

value	0.0007
scoring_system	epss
scoring_elements	0.21539
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-26625

reference_url

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26625

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26625

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/git-lfs/git-lfs

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/git-lfs/git-lfs

reference_url

https://github.com/git-lfs/git-lfs/commit/0cffe93176b870055c9dadbb3cc9a4a440e98396

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-10-17T15:44:04Z/

url

https://github.com/git-lfs/git-lfs/commit/0cffe93176b870055c9dadbb3cc9a4a440e98396

reference_url

https://github.com/git-lfs/git-lfs/commit/5c11ffce9a4f095ff356bc781e2a031abb46c1a8

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-10-17T15:44:04Z/

url

https://github.com/git-lfs/git-lfs/commit/5c11ffce9a4f095ff356bc781e2a031abb46c1a8

reference_url

https://github.com/git-lfs/git-lfs/commit/d02bd13f02ef76f6807581cd6b34709069cb3615

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-10-17T15:44:04Z/

url

https://github.com/git-lfs/git-lfs/commit/d02bd13f02ef76f6807581cd6b34709069cb3615

reference_url

https://github.com/git-lfs/git-lfs/releases/tag/v3.7.1

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-10-17T15:44:04Z/

url

https://github.com/git-lfs/git-lfs/releases/tag/v3.7.1

reference_url

https://github.com/git-lfs/git-lfs/security/advisories/GHSA-6pvw-g552-53c5

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-10-17T15:44:04Z/

url

https://github.com/git-lfs/git-lfs/security/advisories/GHSA-6pvw-g552-53c5

reference_url

https://lists.debian.org/debian-lts-announce/2026/05/msg00055.html

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2026/05/msg00055.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-26625

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-26625

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118339
reference_id	1118339
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118339

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2404720
reference_id	2404720
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2404720

reference_url	https://access.redhat.com/errata/RHSA-2025:23648
reference_id	RHSA-2025:23648
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23648

reference_url	https://access.redhat.com/errata/RHSA-2025:23667
reference_id	RHSA-2025:23667
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23667

reference_url	https://access.redhat.com/errata/RHSA-2025:23744
reference_id	RHSA-2025:23744
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23744

reference_url	https://access.redhat.com/errata/RHSA-2025:23745
reference_id	RHSA-2025:23745
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23745

reference_url	https://access.redhat.com/errata/RHSA-2025:23927
reference_id	RHSA-2025:23927
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23927

reference_url	https://access.redhat.com/errata/RHSA-2026:0199
reference_id	RHSA-2026:0199
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:0199

reference_url	https://access.redhat.com/errata/RHSA-2026:0203
reference_id	RHSA-2026:0203
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:0203

reference_url	https://access.redhat.com/errata/RHSA-2026:0204
reference_id	RHSA-2026:0204
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:0204

reference_url	https://access.redhat.com/errata/RHSA-2026:0224
reference_id	RHSA-2026:0224
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:0224

reference_url	https://access.redhat.com/errata/RHSA-2026:0459
reference_id	RHSA-2026:0459
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:0459

reference_url	https://access.redhat.com/errata/RHSA-2026:0460
reference_id	RHSA-2026:0460
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:0460

reference_url	https://access.redhat.com/errata/RHSA-2026:0465
reference_id	RHSA-2026:0465
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:0465

reference_url	https://access.redhat.com/errata/RHSA-2026:0472
reference_id	RHSA-2026:0472
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:0472

reference_url	https://usn.ubuntu.com/7977-1/
reference_id	USN-7977-1
reference_type
scores
url	https://usn.ubuntu.com/7977-1/

fixed_packages

aliases

CVE-2025-26625, GHSA-6pvw-g552-53c5

risk_score

4.0

exploitability

0.5

weighted_severity

8.0

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-nzx9-gyse-2fgh

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/git-lfs@3.6.1-4%3Farch=el9_7

Package Instance