Changes since Git for Windows v2.50.0(2) (July 1st 2025)

This is a security fix release, addressing CVE-2024-50349, CVE-2024-52006, CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386.

New Features

• Comes with Git v2.50.1.

Bug Fixes

• CVE-2025-27613, Gitk: When a user clones an untrusted repository and runs Gitk without additional command arguments, any writable file can be created and truncated. The option "Support per-file encoding" must have been enabled. The operation "Show origin of this line" is affected as well, regardless of the option being enabled or not.
• CVE-2025-27614, Gitk: A Git repository can be crafted in such a way that a user who has cloned the repository can be tricked into running any script supplied by the attacker by invoking gitk filename, where filename has a particular structure.
• CVE-2025-46334, Git GUI (Windows only): A malicious repository can ship versions of sh.exe or typical textconv filter programs such as astextplain. On Windows, path lookup can find such executables in the worktree. These programs are invoked when the user selects "Git Bash" or "Browse Files" from the menu.
• CVE-2025-46835, Git GUI: When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite any writable file.
• CVE-2025-48384, Git: When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout.
• CVE-2025-48385, Git: When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution.
• CVE-2025-48386, Git: The wincred credential helper uses a static buffer (target) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with wcsncat(), leading to potential buffer overflows.

Note: As a courtesy, this release includes a last, unplanned, "after warranty" 32-bit installer.

Changes since Git for Windows v2.50.0 (June 16th 2025)

New Features

• Comes with Git LFS v3.7.0.

Bug Fixes

• Cloning large repositories via SSH frequently hung with Git for Windows v2.50.0, which was fixed.
• In Git for Windows v2.50.0, operations using the POSIX emulation layer (cloning via SSH, generating the Bash prompt) cannot be interrupted by Ctrl+C, which has been fixed.
• Git for Windows v2.50.0 is unable to initialize Git repositories on Windows Server 2016, which has been fixed.

Changes since Git for Windows v2.49.0 (March 17th 2025)

New Features

• Comes with Git v2.50.0.
• Comes with MinTTY v3.7.8.
• Comes with OpenSSH v10.0.P1.
• Comes with cURL v8.14.1.
• Comes with the MSYS2 runtime (Git for Windows flavor) based on Cygwin v3.6.3.

Bug Fixes

• On Windows Server 2022, Git v2.48.1 introduced a regression where it failed to write files on ReFS drives, which was fixed.
• Git for Windows 2.48.1 introduced a regression when fetching long branches under core.longPaths = true, which was fixed.
• Git for Windows' installer used a non-writable file for testing custom editors, which was fixed.

Changes since Git for Windows v2.49.0 (March 17th 2025)

This is a security fix release, addressing CVE-2024-50349, CVE-2024-52006, CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386.

New Features

• Comes with Git v2.49.1.

Bug Fixes

• CVE-2025-27613, Gitk: When a user clones an untrusted repository and runs Gitk without additional command arguments, any writable file can be created and truncated. The option "Support per-file encoding" must have been enabled. The operation "Show origin of this line" is affected as well, regardless of the option being enabled or not.
• CVE-2025-27614, Gitk: A Git repository can be crafted in such a way that a user who has cloned the repository can be tricked into running any script supplied by the attacker by invoking gitk filename, where filename has a particular structure.
• CVE-2025-46334, Git GUI (Windows only): A malicious repository can ship versions of sh.exe or typical textconv filter programs such as astextplain. On Windows, path lookup can find such executables in the worktree. These programs are invoked when the user selects "Git Bash" or "Browse Files" from the menu.
• CVE-2025-46835, Git GUI: When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite any writable file.
• CVE-2025-48384, Git: When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout.
• CVE-2025-48385, Git: When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution.
• CVE-2025-48386, Git: The wincred credential helper uses a static buffer (target) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with wcsncat(), leading to potential buffer overflows.

Changes since Git for Windows v2.47.1(2) (January 14th 2025)

This is a security fix release, addressing CVE-2024-50349, CVE-2024-52006, CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386.

New Features

• Comes with Git v2.47.3.

Bug Fixes

• CVE-2025-27613, Gitk:
  When a user clones an untrusted repository and runs Gitk without
  additional command arguments, any writable file can be created and
  truncated. The option "Support per-file encoding" must have been
  enabled. The operation "Show origin of this line" is affected as
  well, regardless of the option being enabled or not.
• CVE-2025-27614, Gitk:
  A Git repository can be crafted in such a way that a user who has
  cloned the repository can be tricked into running any script
  supplied by the attacker by invoking gitk filename, where
  filename has a particular structure.
• CVE-2025-46334, Git GUI (Windows only):
  A malicious repository can ship versions of sh.exe or typical
  textconv filter programs such as astextplain. On Windows, path
  lookup can find such executables in the worktree. These programs
  are invoked when the user selects "Git Bash" or "Browse Files" from
  the menu.
• CVE-2025-46835, Git GUI:
  When a user clones an untrusted repository and is tricked into
  editing a file located in a maliciously named directory in the
  repository, then Git GUI can create and overwrite any writable
  file.
• CVE-2025-48384, Git:
  When reading a config value, Git strips any trailing carriage
  return and line feed (CRLF). When writing a config entry, values
  with a trailing CR are not quoted, causing the CR to be lost when
  the config is later read. When initializing a submodule, if the
  submodule path contains a trailing CR, the altered path is read
  resulting in the submodule being checked out to an incorrect
  location. If a symlink exists that points the altered path to the
  submodule hooks directory, and the submodule contains an executable
  post-checkout hook, the script may be unintentionally executed
  after checkout.
• CVE-2025-48385, Git:
  When cloning a repository Git knows to optionally fetch a bundle
  advertised by the remote server, which allows the server-side to
  offload parts of the clone to a CDN. The Git client does not
  perform sufficient validation of the advertised bundles, which
  allows the remote side to perform protocol injection.
  This protocol injection can cause the client to write the fetched
  bundle to a location controlled by the adversary. The fetched
  content is fully controlled by the server, which can in the worst
  case lead to arbitrary code execution.
• CVE-2025-48386, Git:
  The wincred credential helper uses a static buffer (target) as a
  unique key for storing and comparing against internal storage. This
  credential helper does not properly bounds check the available
  space remaining in the buffer before appending to it with
  wcsncat(), leading to potential buffer overflows.

Changes since Git for Windows v2.49.0 (March 17th 2025)

New Features

• Comes with Git v2.50.0-rc2.
• Comes with MinTTY v3.7.8.
• Comes with OpenSSH v10.0.P1.
• Comes with cURL v8.14.1.
• Comes with the MSYS2 runtime (Git for Windows flavor) based on Cygwin v3.6.3.

Bug Fixes

• On Windows Server 2022, Git v2.48.1 introduced a regression where it failed to write files on ReFS drives, which was fixed.
• Git for Windows 2.48.1 introduced a regression when fetching long branches under core.longPaths = true, which was fixed.
• Git for Windows' installer used a non-writable file for testing custom editors, which was fixed.

Changes since Git for Windows v2.49.0 (March 17th 2025)

New Features

• Comes with Git v2.50.0-rc1.
• Comes with MinTTY v3.7.8.
• Comes with OpenSSH v10.0.P1.
• Comes with the MSYS2 runtime (Git for Windows flavor) based on Cygwin v3.6.2.
• Comes with cURL v8.14.1.

Bug Fixes

• On Windows Server 2022, Git v2.48.1 introduced a regression where it failed to write files on ReFS drives, which was fixed.
• Git for Windows 2.48.1 introduced a regression when fetching long branches under core.longPaths = true, which was fixed.
• Git for Windows' installer used a non-writable file for testing custom editors, which was fixed.

Changes since Git for Windows v2.49.0 (March 17th 2025)

New Features

• Comes with Git v2.50.0-rc0.
• Comes with MinTTY v3.7.8.
• Comes with OpenSSH v10.0.P1.
• Comes with the MSYS2 runtime (Git for Windows flavor) based on Cygwin v3.6.2.
• Comes with cURL v8.14.0.

Bug Fixes

• On Windows Server 2022, Git v2.48.1 introduced a regression where it failed to write files on ReFS drives, which was fixed.
• Git for Windows 2.48.1 introduced a regression when fetching long branches under core.longPaths = true, which was fixed.
• Git for Windows' installer used a non-writable file for testing custom editors, which was fixed.

Changes since Git for Windows v2.48.1 (February 13th 2025)

Due to persistent maintenance challenges and the community's limited engagement and usage, git svn support in Git for Windows will be phased out over the next few months.

Git for Windows v2.48.1 was the last version to ship with the i686 ("32-bit") variant of the installer, portable Git and archive. Only 32-bit MinGit will be built for future versions, until April 2029.

New Features

• Comes with Git v2.49.0.
• Comes with OpenSSH v9.9.P2.
• Comes with PCRE2 v10.45.
• The previously-experimental --full-name-hash option has been accepted into upstream Git as --name-hash-version=2 and is no longer experimental.
• The git backfill command has been accepted into upstream Git; Its --batch-size=<n> option has been renamed to --min-batch-size=<n>, though.

Bug Fixes

• A change in upstream Git v2.48.0 broke renaming symlinks, which was fixed.
• On a recent Insider Windows version, users experienced the message: "Cygwin WARNING: Couldn't compute FAST_CWD pointer", which has been fixed.
• A bug has been fixed that, when calling git add -p from VS Code's internal terminal, after using the edit command, caused the internal terminal got stuck and no further command was accepted.
• The syntax highlighting of the nano editor was recently disabled in Git for Windows by mistake, which was fixed.

Changes since Git for Windows v2.48.1 (February 13th 2025)

Due to persistent maintenance challenges and the community's limited engagement and usage, git svn support in Git for Windows will be phased out over the next few months.

Git for Windows v2.48.1 was the last version to ship with the i686 ("32-bit") variant of the installer, portable Git and archive. Only 32-bit MinGit will be built for future versions, until April 2029.

New Features

• Comes with Git v2.49.0-rc2.
• Comes with OpenSSH v9.9.P2.
• Comes with PCRE2 v10.45.
• The previously-experimental --full-name-hash option has been accepted into upstream Git as --name-hash-version=2 and is no longer experimental.
• The git backfill command has been accepted into upstream Git; Its --batch-size=<n> option has been renamed to --min-batch-size=<n>, though.

Bug Fixes

• A change in upstream Git v2.48.0 broke renaming symlinks, which was fixed.
• On a recent Insider Windows version, users experienced the message: "Cygwin WARNING: Couldn't compute FAST_CWD pointer", which has been fixed.
• A bug has been fixed that, when calling git add -p from VS Code's internal terminal, after using the edit command, caused the internal terminal got stuck and no further command was accepted.
• The syntax highlighting of the nano editor was recently disabled in Git for Windows by mistake, which was fixed.