Releases: git-for-windows/git
Releases · git-for-windows/git
Git for Windows v2.51.0.windows.2
v2.51.0.windows.2
This tag was signed with the committer’s verified signature.
dscho
Johannes Schindelin
Changes since Git for Windows v2.51.0 (August 19th 2025)
New Features
- Comes with PCRE2 v10.46.
- Comes with cURL v8.16.0. This addresses a bug where fetches/pushes could fail with
failed to read data from server: SEC_E_CONTEXT_EXPIRED (0x80090317)under certain circumstances. Also included: a back-port of a fix for a bug where connection failures were mistakenly reported as time-outs. - Comes with Tig v2.6.0.
- Comes with MinTTY v3.8.1.
- Comes with OpenSSL v3.5.3.
Bug Fixes
- The auto-updater now shows Git for Windows icon in the notification also on Windows/ARM64.
git clone/git fetchnow deals more gracefully with directory / file conflicts when the files backend is used for ref storage, by failing only the ones that are involved in the conflict while allowing others. This is a regression in Git v2.51.0 that was reported in Git for Windows and independently also to the Git mailing list. This was fixed by merging Git's topic branchkn/refs-files-case-insensitive.- Support for pathspecs in
diff --no-indexwas somewhat buggy, which has been fixed. git sparse-checkoutsubcommand learned a newcleanaction to prune otherwise unused working-tree files that are outside the areas of interest. An earlier version of this had been integrated into Microsoft Git already. This was fixed by merging Git's topic branchds/sparse-checkout-clean.git rebase -ifailed to clean-up the commit log message when the command commits the final one in a chain of "fixup" commands, which has been corrected. Backported from Git's topic branchpw/rebase-i-cleanup-fix.git subtreedid not work correctly when splitting squashed subtrees, which has been improved. Backported from Git's topic branchcs/subtree-squash-split-fix.- Some among
git add -pand friends ignoredcolor.diffand/orcolor.uiconfiguration variables, which is an old regression, which has been corrected. This was fixed by merging Git's topic branchjk/add-i-color. - A corner-case bug in
git log -L...has been corrected. This was fixed by merging Git's topic branchsg/line-log-boundary-fixes. - A broken or malicious
git fetchcan say that it has the same object for many many times, and the upload-pack serving it can exhaust memory storing them redundantly, which has been corrected. This was fixed by merging Git's topic branchps/upload-pack-oom-protection. - Fixes multiple crashes around midx write-out codepaths. This was fixed by merging Git's topic branch
ds/midx-write-fixes. git repack --path-walklost objects in some corner cases, which has been corrected. This was fixed by merging Git's topic branchds/path-walk-repack-fix.- Under a race against another process that is repacking the repository, especially a partially cloned one,
git fetchmay mistakenly think some objects we do have are missing, which has been corrected. This was fixed by merging Git's topic branchjk/fetch-check-graph-objects-fix. - Various options to
git diffthat makes comparison ignore certain aspects of the differences (like "space changes are ignored", "differences in lines that match these regular expressions are ignored") did not work well with--name-onlyand friends. This was fixed by merging Git's topic branchly/diff-name-only-with-diff-from-content. git diff --no-indexrun inside a subdirectory under control of a Git repository operated at the top of the working tree and stripped the prefix from the output, and oddballs like "-" (stdin) did not work correctly because of it. Correct the set-up by undoing what the set-up sequence did to the current working directory and prefix. This was fixed by merging Git's topic branchjc/diff-no-index-in-subdir.- Various bugs about rename handling in "ort" merge strategy have been fixed. This was fixed by merging Git's topic branch
en/ort-rename-fixes. git pushhad a code path that led toBUG()but it should have reported a regular failure, as it is a response to a usual but invalid end-user action to attempt pushing an object that does not exist. This was fixed by merging Git's topic branchdl/push-missing-object-error.git refs migrateto migrate the reflog entries from a refs backend to another had a handful of bugs squashed. This was fixed by merging Git's topic branchps/reflog-migrate-fixes.- During interactive rebase, using
dropon a merge commit lead to an error, which was incorrect. This was fixed by merging Git's topic branchjs/rebase-i-allow-drop-on-a-merge.
| Filename | SHA-256 |
|---|---|
| Git-2.51.0.2-64-bit.exe | 5cf583441ccd8d98d3492936235b6ee30c6847d1b3f49365d6a025b3432094ad |
| Git-2.51.0.2-arm64.exe | ba95adc559e2d91ae28aa354c0ffb06b2c54f2bf42985f278dded9ca31194816 |
| PortableGit-2.51.0.2-64-bit.7z.exe | 85d6e9f865b73827e22d532fd6cd5b93987c8d264142786b0721956619d5c00e |
| PortableGit-2.51.0.2-arm64.7z.exe | f35e795224349c63b7d6c429c2d8404a6ce7e2e8f91934a3f6ba2ca8e7e285a8 |
| MinGit-2.51.0.2-64-bit.zip | 314fc2b7425ca116ea201e493fcb72008376c64997e866e6c8b8a5b360b3b8a9 |
| MinGit-2.51.0.2-arm64.zip | 4feecfaea2647a2a0b25b7bfa518b9a65eb3434d9be7016e4dd348f07bcc6d2f |
| MinGit-2.51.0.2-32-bit.zip | 617a1433fbf5e23deaa17b7559d79f465a08fea7e09a0cff32ac0f2216003a8e |
| MinGit-2.51.0.2-busybox-64-bit.zip | deb7e15ec1e33cad225a6be4401617e21569d188da0a1ca71c29d8018ad087b6 |
| MinGit-2.51.0.2-busybox-32-bit.zip | b2ed51815e858497c2399004a855d5ebb0f8eacd93e0a81a6afc46b5741efda6 |
| Git-2.51.0.2-64-bit.tar.bz2 | 0e4dcabc37f9749fb57b292611a53155842fe52bcbef8e7f56cc80ced65bf3f5 |
| Git-2.51.0.2-arm64.tar.bz2 | a219d91f5f8e707f5e7ff23402af1e7e6421c972896fa3f33edba170439bae90 |
Git for Windows v2.51.0.windows.1
v2.51.0.windows.1
This tag was signed with the committer’s verified signature.
dscho
Johannes Schindelin
Changes since Git for Windows v2.50.1 (July 8th 2025)
New Features
- Comes with Git v2.51.0.
- The Portable Git installers (which are self-extracting 7-Zip archives) are now based off of 7-Zip 25.01
- Comes with cURL v8.15.0.
- Comes with the MSYS2 runtime (Git for Windows flavor) based on Cygwin v3.6.4.
- Comes with MinTTY v3.7.9.
| Filename | SHA-256 |
|---|---|
| Git-2.51.0-64-bit.exe | 843037416371600a7f289be8fe2b2224afe1c1bb0736bbab7b3ff393e6a7aaf2 |
| Git-2.51.0-arm64.exe | 739673a52a2ea5a3ac23ef1a74985647fd21a758e5e177fed2d995dd897a1600 |
| PortableGit-2.51.0-64-bit.7z.exe | a09b275d51ed3e829128e04cf4168fb54896cf6234bb30fecb8dc96a2bd321fa |
| PortableGit-2.51.0-arm64.7z.exe | 0aacd4edf0c1715334a18725a947584652e1b34bddab63ac3f4a82c9f7c78e38 |
| MinGit-2.51.0-64-bit.zip | c2c955a21fa99889d83f485f24fa5d9a38fffc2d509d4022385510e11c26b250 |
| MinGit-2.51.0-arm64.zip | b21755ccd10f71a37ec341ca9ac450cebee71bb1e70c0d88d90ddd6e5b16dfa4 |
| MinGit-2.51.0-32-bit.zip | 5a8f1cace31a817fa9fa3d18146e8b40a28fd365d48958976df93ae6f0bae077 |
| MinGit-2.51.0-busybox-64-bit.zip | 6b71de89d321310d1cc233565a10b06cabc65582e1c37bae47548c1fa323c878 |
| MinGit-2.51.0-busybox-32-bit.zip | 050fe76ece1b7762cd556bdbe242a979d5d769c2072db45e1cc888061552779c |
| Git-2.51.0-64-bit.tar.bz2 | 151bddf70e1115631e62bb05535b5e6726b3813e1f363953ad6b4e6697d96933 |
| Git-2.51.0-arm64.tar.bz2 | 5c3bc6ca50ef6a7686832d2549e6e1b3b1060cf18322a2bbe064d4aec2f33904 |
Git for Windows v2.51.0-rc2.windows.1
v2.51.0-rc2.windows.1
This tag was signed with the committer’s verified signature.
dscho
Johannes Schindelin
Changes since Git for Windows v2.50.1 (July 8th 2025)
New Features
- Comes with Git v2.51.0-rc2.
- The Portable Git installers (which are self-extracting 7-Zip archives) are now based off of 7-Zip 25.01
- Comes with cURL v8.15.0.
- Comes with the MSYS2 runtime (Git for Windows flavor) based on Cygwin v3.6.4.
- Comes with MinTTY v3.7.9.
| Filename | SHA-256 |
|---|---|
| Git-2.51.0-rc2-64-bit.exe | f62cd3143a03e496b64468f9833434be19df4b2428fc5d058774d3ee394579f1 |
| Git-2.51.0-rc2-arm64.exe | 846e317ec5bea38e9164d627bd6f4e6881acb7bd136660e1c1ce9be7a54d8406 |
| PortableGit-2.51.0-rc2-64-bit.7z.exe | 01a8ab8481362c230f18cef8966a612f760d4ea40d539e9d8cb419e517a8ac20 |
| PortableGit-2.51.0-rc2-arm64.7z.exe | 4d44e057f7d6596d6671f413f694d5ab04cb02392b05d0a9cf929e4acf0155e3 |
| MinGit-2.51.0-rc2-64-bit.zip | b73e8059a6c2380f84ff1483dbffcdbcf1d97bec28de24a1c3d0d503a872a619 |
| MinGit-2.51.0-rc2-arm64.zip | ac5690ffeab59eb177d2091d68eef17e4f063f4b3f904749cdfa632a455f93f8 |
| MinGit-2.51.0-rc2-32-bit.zip | ca5585924690f62cbfddf317111eb1d02a9fca03f9a13fc15573b20c2bb9b754 |
| MinGit-2.51.0-rc2-busybox-64-bit.zip | 720914cae321f172d6546134624aa29b974bed00c8edfaa952b58f5c0193ffe4 |
| MinGit-2.51.0-rc2-busybox-32-bit.zip | 0ca7c6985243899b441474cd5a7cfb7cf994a0e57160e776a9170db7b4444da2 |
| Git-2.51.0-rc2-64-bit.tar.bz2 | 5804070e7e8fed5e624bbb74e5ea6f286367a698384681152dbb31eefabf9a3b |
| Git-2.51.0-rc2-arm64.tar.bz2 | 5218e4574410a80a6f0fcbfb905522909eaf91729ce26138b1985578e0823a33 |
Git for Windows v2.51.0-rc1.windows.1
v2.51.0-rc1.windows.1
This tag was signed with the committer’s verified signature.
dscho
Johannes Schindelin
Changes since Git for Windows v2.50.1 (July 8th 2025)
New Features
- Comes with Git v2.51.0-rc1.
- The Portable Git installers (which are self-extracting 7-Zip archives) are now based off of 7-Zip 25.00
- Comes with cURL v8.15.0.
- Comes with the MSYS2 runtime (Git for Windows flavor) based on Cygwin v3.6.4.
| Filename | SHA-256 |
|---|---|
| Git-2.51.0-rc1-64-bit.exe | ef8dad28ffad12eb1baefa4d2ed108cf5e3235d6ec00837590b0020bddaf88be |
| Git-2.51.0-rc1-arm64.exe | a590d46d4408c7a072af3bb9e9dd9f129f0d97006d68c797a00297dc32eba34f |
| PortableGit-2.51.0-rc1-64-bit.7z.exe | 83db99592683faa184da5eec9874e13e11c218093c8ea260ecd0045014edcbe2 |
| PortableGit-2.51.0-rc1-arm64.7z.exe | ca19a6b04d06732644f8999c5d61d231f1e396c37345624006e9a59169a00a3f |
| MinGit-2.51.0-rc1-64-bit.zip | 57a42fec5bea403fc7cef60880b28c90ab810a30ce0c015be50870f768b31add |
| MinGit-2.51.0-rc1-arm64.zip | 8f1f6a4f3348c68c7673e15cb16b7481f90b19af7ff794524c8bd6e80fedab88 |
| MinGit-2.51.0-rc1-32-bit.zip | f66662fec8206f0214391d237a19e140e79b9f46ad90f58e0bf653746568e06b |
| MinGit-2.51.0-rc1-busybox-64-bit.zip | 5711d4db0e3160e30e6bce4e969b3f6828ce89bc64a3767ca081ae2391ccaa51 |
| MinGit-2.51.0-rc1-busybox-32-bit.zip | 52763ec1fcd5d70f35b6e0df4cea4791f32af4d5427ef803f8d3070342648e15 |
| Git-2.51.0-rc1-64-bit.tar.bz2 | d4159c2b8d937bc615e7e2f37705db1e8a06364b55172bc36a3ae519d6800f27 |
| Git-2.51.0-rc1-arm64.tar.bz2 | bc923a8218000d952ac86ed73b9f08746e3c53bfb186a59a41749da0f1c07620 |
Git for Windows v2.51.0-rc0.windows.1
v2.51.0-rc0.windows.1
This tag was signed with the committer’s verified signature.
dscho
Johannes Schindelin
Changes since Git for Windows v2.50.1 (July 8th 2025)
New Features
- Comes with Git v2.51.0-rc0.
- The Portable Git installers (which are self-extracting 7-Zip archives) are now based off of 7-Zip 25.00
- Comes with cURL v8.15.0.
- Comes with the MSYS2 runtime (Git for Windows flavor) based on Cygwin v3.6.4.
| Filename | SHA-256 |
|---|---|
| Git-2.51.0-rc0-64-bit.exe | f10884d85577e87e49589e24ad461f1497ae48c03e725d6dd86f0a28a55872d0 |
| Git-2.51.0-rc0-arm64.exe | 1eaefeb121357b443bec2c9fb94f64fb7433e3961ab784278c9325cf09b21b5f |
| PortableGit-2.51.0-rc0-64-bit.7z.exe | 8ae49916e2139fd6d388704a4ab7f7382480a0c63d12501b93238e6b2916a98f |
| PortableGit-2.51.0-rc0-arm64.7z.exe | 4431babf9a3786952807a510c01972a5a03540e1a1ab623e9d99c47361244c0b |
| MinGit-2.51.0-rc0-64-bit.zip | 36a36ca0d24d6ccdb5328888aceeea7127343c2f6faeaa8474f84d1d7a3575fb |
| MinGit-2.51.0-rc0-arm64.zip | 8f39a5d5bd4b484b18bde06674c6d134440fe2d77306317eb60464ddb55f5971 |
| MinGit-2.51.0-rc0-32-bit.zip | a0651ed960e54e13ff63de20d61bfa50d4b1df2cfd870810c2528b8b662cbc21 |
| MinGit-2.51.0-rc0-busybox-64-bit.zip | 70e55379ca1e31013ac4f5e69589e13764622c220bc0c12d24320d3325ef6cfb |
| MinGit-2.51.0-rc0-busybox-32-bit.zip | a6b267c3275cd39eb7649897d1931c87f3278fc43d2a8a965b095e1c89d144fc |
| Git-2.51.0-rc0-64-bit.tar.bz2 | a77c02f8adcecf46a785c2a70557c04184c84bc12fc2480516c26c33fe035290 |
| Git-2.51.0-rc0-arm64.tar.bz2 | c8b12a3aadaa780cce6b0b007474d8cdc62ddc3d05025063e7ae55e142e4b810 |
Git for Windows 2.50.1
v2.50.1.windows.1
This tag was signed with the committer’s verified signature.
dscho
Johannes Schindelin
Changes since Git for Windows v2.50.0(2) (July 1st 2025)
This is a security fix release, addressing CVE-2024-50349, CVE-2024-52006, CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386.
New Features
- Comes with Git v2.50.1.
Bug Fixes
- CVE-2025-27613, Gitk: When a user clones an untrusted repository and runs Gitk without additional command arguments, any writable file can be created and truncated. The option "Support per-file encoding" must have been enabled. The operation "Show origin of this line" is affected as well, regardless of the option being enabled or not.
- CVE-2025-27614, Gitk: A Git repository can be crafted in such a way that a user who has cloned the repository can be tricked into running any script supplied by the attacker by invoking
gitk filename, wherefilenamehas a particular structure. - CVE-2025-46334, Git GUI (Windows only): A malicious repository can ship versions of sh.exe or typical textconv filter programs such as astextplain. On Windows, path lookup can find such executables in the worktree. These programs are invoked when the user selects "Git Bash" or "Browse Files" from the menu.
- CVE-2025-46835, Git GUI: When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite any writable file.
- CVE-2025-48384, Git: When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout.
- CVE-2025-48385, Git: When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution.
- CVE-2025-48386, Git: The wincred credential helper uses a static buffer (
target) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it withwcsncat(), leading to potential buffer overflows.
Note: As a courtesy, this release includes a last, unplanned, "after warranty" 32-bit installer.
| Filename | SHA-256 |
|---|---|
| Git-2.50.1-64-bit.exe | 47fe1d46dbb7111f6693b04a8bd95fc869ce2062df7b4822b52849548fb457e4 |
| Git-2.50.1-arm64.exe | 26e71db68bf5dd2ad47e13a07fb050fa0e8ab7e9802401b32bb55f2626f15f55 |
| Git-2.50.1-32-bit.exe | 5191529725d9f0c1ffe6feb23f3d72b7abe585be84e09cb2e6b353adb280d35b |
| PortableGit-2.50.1-64-bit.7z.exe | c45a7dfa2bde34059f6dbd85f49a95d73d5aea29305f51b79595e56e4f323a3d |
| PortableGit-2.50.1-arm64.7z.exe | fa1c1df0d8bc9ccd36105964cfd2e088b50f3db974906c926dd1a4d271e1f90b |
| PortableGit-2.50.1-32-bit.7z.exe | 7692d9af16b08150e28dae6c63106a46995fb44e5f4c85182ac7eb1b840543c5 |
| MinGit-2.50.1-64-bit.zip | 6f672aebe9e488a246efd6875f9197dbc0d9a40100e218acc3877cba2b206c45 |
| MinGit-2.50.1-arm64.zip | 25d45da2f84c5faae01e55129498b8466ad26966f775964be761f14f24d11d75 |
| MinGit-2.50.1-32-bit.zip | d312bd9d9ff19bc85dd6dc46d3d1c10f63ab65f29a3d595b6376074025dc0809 |
| MinGit-2.50.1-busybox-64-bit.zip | 6d586bf5093baf312cd8141bb59d150416ee89a8e58240d8c1e9ae31a4be7758 |
| MinGit-2.50.1-busybox-32-bit.zip | 7d138de6edf6f001f131de55b02d97ca9e240c51a2ec61f631b0fe5e9f2b266b |
| Git-2.50.1-64-bit.tar.bz2 | 9131f40e26985205432a1aa8583b3a90b5a64f3c6cc9324b2b63f05cb3448222 |
| Git-2.50.1-arm64.tar.bz2 | 1edc852521562483eebcf9fcb016ffe5936a93099088de52fcd9b082d289396c |
| Git-2.50.1-32-bit.tar.bz2 | 796d8f4fdd19c668e348d04390a3528df61cfc9864d1f276d9dc585a8a0ac82c |
Git for Windows v2.50.0.windows.2
v2.50.0.windows.2
This tag was signed with the committer’s verified signature.
dscho
Johannes Schindelin
Changes since Git for Windows v2.50.0 (June 16th 2025)
New Features
- Comes with Git LFS v3.7.0.
Bug Fixes
- Cloning large repositories via SSH frequently hung with Git for Windows v2.50.0, which was fixed.
- In Git for Windows v2.50.0, operations using the POSIX emulation layer (cloning via SSH, generating the Bash prompt) cannot be interrupted by Ctrl+C, which has been fixed.
- Git for Windows v2.50.0 is unable to initialize Git repositories on Windows Server 2016, which has been fixed.
| Filename | SHA-256 |
|---|---|
| Git-2.50.0.2-64-bit.exe | a22b0ddaaa6c698be63f8396b5e595c72a4ab2237bb8863c935752c02c1824b3 |
| Git-2.50.0.2-arm64.exe | 4d6306fa8f346615271acef9a6bbd9072485111e7c9717ee993bf72a29ab7cd1 |
| PortableGit-2.50.0.2-64-bit.7z.exe | de8e309e780201d74b09e4b248209fd5544c45acbb5a4d131562739460aeeb46 |
| PortableGit-2.50.0.2-arm64.7z.exe | ae8331ea65e1f7677b6ce140edb0f5501aa108abbd8bab943cd995c4ddf1218e |
| MinGit-2.50.0.2-64-bit.zip | 6d28c7e9f9c219a16c078c94a80492dd10fa309fbd17a67b2230736fdfb263b9 |
| MinGit-2.50.0.2-arm64.zip | c0552ba67549d2cc0cb847a89cd0c45b884086c06c7e1ec8dc190931e0e48adc |
| MinGit-2.50.0.2-32-bit.zip | 963ad1352e606f20a719ce1319432aaa23b18acd42cdc0f88f73694c29554a35 |
| MinGit-2.50.0.2-busybox-64-bit.zip | dddb446697623597ee84a7c544310f76cfa9e07bc34f951b8d3390a50d8e3d8b |
| MinGit-2.50.0.2-busybox-32-bit.zip | f16162dc7c45d438a04f3969b20545699623d89acf92a6a32a6ff9353a9e32a8 |
| Git-2.50.0.2-64-bit.tar.bz2 | 295dfbf88b741aff20b3f50580f8601fe5e3cffa67f48ea21892789274a902eb |
| Git-2.50.0.2-arm64.tar.bz2 | 7420699c4caf71ef79fd8edae7a0b5cacc708b5ba7c4200ec33963afb0365efa |
Git for Windows v2.50.0.windows.1
v2.50.0.windows.1
This tag was signed with the committer’s verified signature.
dscho
Johannes Schindelin
Changes since Git for Windows v2.49.0 (March 17th 2025)
New Features
- Comes with Git v2.50.0.
- Comes with MinTTY v3.7.8.
- Comes with OpenSSH v10.0.P1.
- Comes with cURL v8.14.1.
- Comes with the MSYS2 runtime (Git for Windows flavor) based on Cygwin v3.6.3.
Bug Fixes
- On Windows Server 2022, Git v2.48.1 introduced a regression where it failed to write files on ReFS drives, which was fixed.
- Git for Windows 2.48.1 introduced a regression when fetching long branches under
core.longPaths = true, which was fixed. - Git for Windows' installer used a non-writable file for testing custom editors, which was fixed.
| Filename | SHA-256 |
|---|---|
| Git-2.50.0-64-bit.exe | 817a905f261b399580f476206a74bac1dd5aafef0e3e69d1263b7434c4c78b47 |
| Git-2.50.0-arm64.exe | 39a7807393e8829b31581a1f3553592875139f9e1f25d3d27d1fe1d778336b06 |
| PortableGit-2.50.0-64-bit.7z.exe | 0a16ff4699b62f171309dca221bd90f0dad5d4e68668d49b3ef0889bcb6da370 |
| PortableGit-2.50.0-arm64.7z.exe | 227392b7e1a564af3cdeb3f301944712431dd9ed67d569a18fa67eba3f7db4b4 |
| MinGit-2.50.0-64-bit.zip | 69b1a81f881077d3c89806d2cd13cfd0f2b31a4e934e6fb9f8370435aaa7a94e |
| MinGit-2.50.0-arm64.zip | b73a74019f16512bbefc86b9019b3dac9732ad64de8d99396fcc3647b145a11a |
| MinGit-2.50.0-32-bit.zip | 0ba70e3aabb99210f02caa02d31031cc6e26ef4770438cb59e6941276805c1a3 |
| MinGit-2.50.0-busybox-64-bit.zip | e2f4e682b3894b55287609fd1889f671864d7f6324d7ef76329d340a33366660 |
| MinGit-2.50.0-busybox-32-bit.zip | b6066cdd591ea6fe818db88b837436e2321309ab8dbd41d99167a301e5ed4783 |
| Git-2.50.0-64-bit.tar.bz2 | 401528b4e6ff68dc370fc9b16b3a84094f47699d7bc6549b716c5918ab604357 |
| Git-2.50.0-arm64.tar.bz2 | dcc0ad9983ecb4d56690b6df0634cab24241c5f6610b9b2a597b6e3a6d29149e |
Git for Windows 2.49.1
v2.49.1.windows.1
This tag was signed with the committer’s verified signature.
dscho
Johannes Schindelin
Changes since Git for Windows v2.49.0 (March 17th 2025)
This is a security fix release, addressing CVE-2024-50349, CVE-2024-52006, CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386.
New Features
- Comes with Git v2.49.1.
Bug Fixes
- CVE-2025-27613, Gitk: When a user clones an untrusted repository and runs Gitk without additional command arguments, any writable file can be created and truncated. The option "Support per-file encoding" must have been enabled. The operation "Show origin of this line" is affected as well, regardless of the option being enabled or not.
- CVE-2025-27614, Gitk: A Git repository can be crafted in such a way that a user who has cloned the repository can be tricked into running any script supplied by the attacker by invoking
gitk filename, wherefilenamehas a particular structure. - CVE-2025-46334, Git GUI (Windows only): A malicious repository can ship versions of sh.exe or typical textconv filter programs such as astextplain. On Windows, path lookup can find such executables in the worktree. These programs are invoked when the user selects "Git Bash" or "Browse Files" from the menu.
- CVE-2025-46835, Git GUI: When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite any writable file.
- CVE-2025-48384, Git: When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout.
- CVE-2025-48385, Git: When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution.
- CVE-2025-48386, Git: The wincred credential helper uses a static buffer (
target) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it withwcsncat(), leading to potential buffer overflows.
| Filename | SHA-256 |
|---|---|
| Git-2.49.1-64-bit.exe | 887015706520687bbeecad5de0b651f28dd5b5019d4ad7d698cdc9a33e7c60c3 |
| Git-2.49.1-arm64.exe | 4a57dd0af4d6abb3eb8b66393048372a86283925ae95e9be057338b23d9f1d22 |
| PortableGit-2.49.1-64-bit.7z.exe | 643def94eaa15215ebe1018804d2ac3a458e80a2fc27aef6e5139411728f3a7d |
| PortableGit-2.49.1-arm64.7z.exe | b6e9dc984e9b8c32ad9a5bb801f6909cae2825052b9b0120dc1b130abe07ffdc |
| MinGit-2.49.1-64-bit.zip | 3934292e3467ef4402770a966190112950203b4f3be6d58c37e80bd85bce8ee9 |
| MinGit-2.49.1-arm64.zip | 2c18f00ee5cc01222035a283e314244e38c3ec285cded76817ca2f7572b83992 |
| MinGit-2.49.1-32-bit.zip | d73eddfeca821dd7a55309281f2ee9ea06b5ebec6dc89c6394e977a07901744a |
| MinGit-2.49.1-busybox-64-bit.zip | 1e8ea4d43534229ee11a2fba2cc218dae3182d832766f6df93fcfc1808962ff4 |
| MinGit-2.49.1-busybox-32-bit.zip | 1dcedac61666640f2fa87ec5462a299e35c325bb8a2b4dc25fc9fac1637dcb9c |
| Git-2.49.1-64-bit.tar.bz2 | 2ce022aa1bb833c515b79c52426f3e7a5e8692fab3a2af7eeb9f4062aa70d7b2 |
| Git-2.49.1-arm64.tar.bz2 | 583dfbec6084d9069ff90424b1cdcf3fcc29af8140400c15867990293e74d6c5 |
MinGit for Windows 2.47.3
v2.47.3.windows.1
This tag was signed with the committer’s verified signature.
dscho
Johannes Schindelin
Changes since Git for Windows v2.47.1(2) (January 14th 2025)
This is a security fix release, addressing CVE-2024-50349, CVE-2024-52006, CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386.
New Features
- Comes with Git v2.47.3.
Bug Fixes
- CVE-2025-27613, Gitk:
When a user clones an untrusted repository and runs Gitk without
additional command arguments, any writable file can be created and
truncated. The option "Support per-file encoding" must have been
enabled. The operation "Show origin of this line" is affected as
well, regardless of the option being enabled or not. - CVE-2025-27614, Gitk:
A Git repository can be crafted in such a way that a user who has
cloned the repository can be tricked into running any script
supplied by the attacker by invokinggitk filename, where
filenamehas a particular structure. - CVE-2025-46334, Git GUI (Windows only):
A malicious repository can ship versions of sh.exe or typical
textconv filter programs such as astextplain. On Windows, path
lookup can find such executables in the worktree. These programs
are invoked when the user selects "Git Bash" or "Browse Files" from
the menu. - CVE-2025-46835, Git GUI:
When a user clones an untrusted repository and is tricked into
editing a file located in a maliciously named directory in the
repository, then Git GUI can create and overwrite any writable
file. - CVE-2025-48384, Git:
When reading a config value, Git strips any trailing carriage
return and line feed (CRLF). When writing a config entry, values
with a trailing CR are not quoted, causing the CR to be lost when
the config is later read. When initializing a submodule, if the
submodule path contains a trailing CR, the altered path is read
resulting in the submodule being checked out to an incorrect
location. If a symlink exists that points the altered path to the
submodule hooks directory, and the submodule contains an executable
post-checkout hook, the script may be unintentionally executed
after checkout. - CVE-2025-48385, Git:
When cloning a repository Git knows to optionally fetch a bundle
advertised by the remote server, which allows the server-side to
offload parts of the clone to a CDN. The Git client does not
perform sufficient validation of the advertised bundles, which
allows the remote side to perform protocol injection.
This protocol injection can cause the client to write the fetched
bundle to a location controlled by the adversary. The fetched
content is fully controlled by the server, which can in the worst
case lead to arbitrary code execution. - CVE-2025-48386, Git:
The wincred credential helper uses a static buffer (target) as a
unique key for storing and comparing against internal storage. This
credential helper does not properly bounds check the available
space remaining in the buffer before appending to it with
wcsncat(), leading to potential buffer overflows.
| Filename | SHA-256 |
|---|---|
| MinGit-2.47.3-64-bit.zip | 033b94947b64c53442feefc4fdb0e66dc0ee619904a559627a952336e7a62e31 |
| MinGit-2.47.3-arm64.zip | 4aae1a69de2f029a10438ccd9fa4bf9572b0bcf6f6c6be884f4d2e0acbbaa3aa |
| MinGit-2.47.3-32-bit.zip | 969c2fd5727cd347775b4956e8c344b5decdf23651f4aa558bd0a91aa9562964 |
| MinGit-2.47.3-busybox-64-bit.zip | 1c7f90eae02c8d1936fb88d84149430a41d81569f9751eb8faa11b0a972cc202 |
| MinGit-2.47.3-busybox-32-bit.zip | 407a57301e5c5f8d9d8c139c6b6cf9458ee5e88bc3b7233fccfe5ec86356cdfd |