Skip to main content
Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Git LFS Vulnerability

Vulnerability detected in Git LFS and its remediation actions

What is it?

The vulnerability allows an attacker to execute arbitrary code on a victim machine with a malicious repository. This vulnerability is only present on Windows. However, Git for Windows is shipped with Git LFS and therefore all Windows customers can be affected.

Example situation: Joe Company clones the open source repo http://www.github.com/bad/repo.git to a corporate machine. This action would allow an attacker to take over Joe’s machine and hack the company network.

More information on this vulnerability can be found in the CVE-2020-27955 Security Notice.

How do we remediate it?

Download and install the newest build of Git for Windows on all Windows machines to patch for this vulnerability or run git update-git-for-windows to patch for this vulnerability.

Need assistance?

If you find you need further assistance, please reach out to the team by submitting an issue.

building hubot

Return to Announcements