Security Patch
Fixes the remaining 6 Go stdlib / crypto CVEs in the git-lfs binary that were still present in v3.13.0.
What changed
- Force Go 1.25.8 toolchain — git-lfs's
go.modcontains atoolchain go1.25.3directive which caused Go to auto-download and compile with the older, vulnerable Go 1.25.3 even though Go 1.25.8 was installed. SettingGOTOOLCHAIN=localforces the patched version. - Update
golang.org/x/cryptoto latest (≥0.43.0) before building git-lfs, resolving CVE-2025-47913.
CVEs resolved
| CVE | Severity | Package |
|---|---|---|
| CVE-2025-68121 | CRITICAL | Go stdlib (fixed in 1.25.7) |
| CVE-2026-27142 | HIGH | Go stdlib (fixed in 1.25.8) |
| CVE-2026-25679 | HIGH | Go stdlib (fixed in 1.25.8) |
| CVE-2025-61729 | HIGH | Go stdlib (fixed in 1.25.5) |
| CVE-2025-61726 | HIGH | Go stdlib (fixed in 1.25.6) |
| CVE-2025-47913 | HIGH | golang.org/x/crypto (fixed in 0.43.0) |
Other changes
- Updated README to reference Gitea/Forgejo as supported targets
Full Changelog: v3.13.0...v3.13.1