v3.7.1

This release introduces security fixes for Linux, macOS, and Windows systems, which have been collectively assigned CVE-2025-26625.

When populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS.

Git LFS has resolved this problem by revising the git lfs checkout and git lfs pull commands so that they check for symbolic links in the same manner as performed by Git before writing to files in the working tree. These commands now also remove existing files in the working tree before writing new files in their place.

As well, Git LFS has resolved a problem whereby the git lfs checkout and git lfs pull commands, when run in a bare repository, could write to files visible outside the repository. While a specific and relatively unlikely set of conditions were required for this to occur, it is no longer possible under any circumstances.

We would like to extend a special thanks to the following open-source contributors:

Apple Product Security for reporting this to us responsibly

Bugs

Detect symbolic links on checkout and pull (@chrisd8088)

Misc

Upgrade to Go 1.25 (@chrisd8088)

Packages

Up to date packages are available on PackageCloud and Homebrew.

RPM RHEL 8/Rocky Linux 8 RPM RHEL 9/Rocky Linux 9 RPM RHEL 10/Rocky Linux 10 Debian 11 Debian 12

SHA-256 hashes:

git-lfs-darwin-amd64-v3.7.1.zip b5b1b641c0648c83661fa9eda991cd3eff945264dabc2cdf411a80dfe7ec0970

git-lfs-darwin-arm64-v3.7.1.zip 76260fb34f4ee622ff0a66b857e5954aa49c7e343a92e57a1ec4a760618c94b2

git-lfs-freebsd-386-v3.7.1.tar.gz 811cf7b7d459ba507e01d01172b05f5bfea2fce9b6b9a22a98f8de87dfd4d1da

git-lfs-freebsd-amd64-v3.7.1.tar.gz 50931d36415a80f5bd427cbb1e283d4c825a1b24fa6da0481c9fa1b5f5803c6f

git-lfs-linux-386-v3.7.1.tar.gz a49eed4612d9a33db848db8cb9079b15d5f3116bbca2c1a11cb89a70e3218921

git-lfs-linux-amd64-v3.7.1.tar.gz 1c0b6ee5200ca708c5cebebb18fdeb0e1c98f1af5c1a9cba205a4c0ab5a5ec08

git-lfs-linux-arm-v3.7.1.tar.gz 567002d2735ceb0e876e326736f1b72895931d5ac156002cc8561b072a4ce9a3

git-lfs-linux-arm64-v3.7.1.tar.gz 73a9c90eeb4312133a63c3eaee0c38c019ea7bfa0953d174809d25b18588dd8d

git-lfs-linux-loong64-v3.7.1.tar.gz 10c300a81968b070e331d36abcf21da18e478b17f4a61c009eb9d2b50374132c

git-lfs-linux-ppc64le-v3.7.1.tar.gz 100fbefdd86722dafd56737121510289ece9574c7bb8ec01b4633f8892acc427

git-lfs-linux-riscv64-v3.7.1.tar.gz 4e17b28e64416b680a68cb2ac3e3514cecb86548603c78774519b26686683928

git-lfs-linux-s390x-v3.7.1.tar.gz d4b68db5d7cc34395b8d6c392326aeff98a297bde2053625560df6c76eb97c69

git-lfs-v3.7.1.tar.gz 8f56058622edfea1d111e50e9844ef2f5ce670b2dbe4d55d48e765c943af4351

git-lfs-windows-386-v3.7.1.zip 06c05c06523abf3930301b3022527ad881b1a7f8bf036ed6d93c8e68569041bb

git-lfs-windows-amd64-v3.7.1.zip 8683cdc3d6c029b49393dcebbaa6265bd6efd9abdcf837be855b4cd42e5e80b6

git-lfs-windows-arm64-v3.7.1.zip 9441383a3928a7f387223711929292a46ace95580ceed443d61e7b8a4d9615c3

git-lfs-windows-v3.7.1.exe bcd9a40a1ab8e9bdb948d05b736c8129001ba167627d04384aa68086847830a9

hashes.asc 5b28310a24b404f241a6ce25bf528918a4192a7fff083c1b14779bff3a6e8729

sha256sums.asc 4b34ca0f37ff3955a4b8e217b75d4a0b744a13ee6d442989f7ae3c6e7cec07eb

git-lfs

More Go Projects

ollama

kubernetes

frp

gin