Tags: git-for-windows/git
Tags
Git for Windows v2.54.0
Changes since Git for Windows v2.53.0(3) (April 14th 2026)
Due to persistent maintenance challenges, git svn is no longer included
in Git for Windows. Users who still need this command are highly
encouraged to use a Linux version of git svn via the Windows Subsystem
for Linux instead, or switch to a regular MSYS2 setup: install MSYS2,
then run the following command in the MSYS2 UCRT64 Bash: pacman -Sy
mingw-w64-ucrt-x86_64-git-svn. After that, the git svn command will be
available in that Bash. On Windows/ARM64, you will want to use the
CLANGARM64 variant instead (and install
mingw-w64-clang-aarch64-git-svn).
New Features
* Comes with Git v2.54.0.
* Comes with Bash v5.3.9.
* Comes with Git Credential Manager v2.7.3.
* Comes with MinTTY v3.8.2.
* The shell aliases in Git Bash that ensured that interpreters such
as Python and Node.JS are executed via winpty are no longer
necessary, and have therefore been dropped.
* Comes with the MSYS2 runtime (Git for Windows flavor) based on
Cygwin v3.6.7.
* Comes with cURL v8.19.0.
* Comes with OpenSSH v10.3.P1.
* Comes with OpenSSL v3.5.6.
Bug Fixes
* The iconv executable, which was inadvertently dropped from Git for
Windows v2.53.0's installer, is now included again.
* In some circumstances, when typing while a still-running program is
about to terminate, the typed characters could arrive out of order
in Git Bash. This bug was fixed.
* Similar to how git clean already avoids traversing NTFS junctions,
git worktree remove now does the same.
* The number of CPU cores is now detected correctly on multi-socket
systems.
* When fetching/pushing via Secure Channel (the default TLS/SSL
method), the timeout to renegotiate (e.g. using client
certificates) was recently reduced to 7 seconds, which was too
short. It has been extended to 60 seconds.
* The recent security bug fix that disables NTLM by default missed
the NTLM fallback in the Kerberos protocol. This fallback is now
disabled, following the cURL project's guidance.
* A really old bug which prevented Kerberos authentication from
working with the default http.emptyAuth ("auto"), was fixed.
* The git instaweb command is no longer distributed with Git for
Windows because it would require GitWeb (which has not been
distributed with Git for Windows for quite a few years).
Git for Windows v2.54.0-rc2
Changes since Git for Windows v2.53.0(3) (April 14th 2026)
Due to persistent maintenance challenges, git svn is no longer included
in Git for Windows. Users who still need this command are highly
encouraged to use a Linux version of git svn via the Windows Subsystem
for Linux instead, or switch to a regular MSYS2 setup: install MSYS2,
then run the following command in the MSYS2 UCRT64 Bash: pacman -Sy
mingw-w64-ucrt-x86_64-git-svn. After that, the git svn command will be
available in that Bash. On Windows/ARM64, you will want to use the
CLANGARM64 variant instead (and install
mingw-w64-clang-aarch64-git-svn).
New Features
* Comes with Git v2.54.0-rc2.
* Comes with Bash v5.3.9.
* Comes with Git Credential Manager v2.7.2.
* Comes with MinTTY v3.8.2.
* The shell aliases in Git Bash that ensured that interpreters such
as Python and Node.JS are executed via winpty are no longer
necessary, and have therefore been dropped.
* Comes with the MSYS2 runtime (Git for Windows flavor) based on
Cygwin v3.6.7.
* Comes with cURL v8.19.0.
* Comes with OpenSSH v10.3.P1.
* Comes with OpenSSL v3.5.6.
Bug Fixes
* The iconv executable, which was inadvertently dropped from Git for
Windows v2.53.0's installer, is now included again.
* In some circumstances, when typing while a still-running program is
about to terminate, the typed characters could arrive out of order
in Git Bash. This bug was fixed.
* Similar to how git clean already avoids traversing NTFS junctions,
git worktree remove now does the same.
* The number of CPU cores is now detected correctly on multi-socket
systems.
* When fetching/pushing via Secure Channel (the default TLS/SSL
method), the timeout to renegotiate (e.g. using client
certificates) was recently reduced to 7 seconds, which was too
short. It has been extended to 60 seconds.
* The recent security bug fix that disables NTLM by default missed
the NTLM fallback in the Kerberos protocol. This fallback is now
disabled, following the cURL project's guidance.
* A really old bug which prevented Kerberos authentication from
working with the default http.emptyAuth ("auto"), was fixed.
Git for Windows v2.54.0-rc1
Changes since Git for Windows v2.53.0(2) (March 10th 2026)
Due to persistent maintenance challenges, git svn is no longer included
in Git for Windows. Users who still need this command are highly
encouraged to use a Linux version of git svn via the Windows Subsystem
for Linux instead, or switch to a regular MSYS2 setup: install MSYS2,
then run the following command in the MSYS2 UCRT64 Bash: pacman -Sy
mingw-w64-ucrt-x86_64-git-svn. After that, the git svn command will be
available in that Bash. On Windows/ARM64, you will want to use the
CLANGARM64 variant instead (and install
mingw-w64-clang-aarch64-git-svn).
New Features
* Comes with Git v2.54.0-rc1.
* Comes with Bash v5.3.9.
* Comes with Git Credential Manager v2.7.2.
* Comes with MinTTY v3.8.2.
* The shell aliases in Git Bash that ensured that interpreters such
as Python and Node.JS are executed via winpty are no longer
necessary, and have therefore been dropped.
* Comes with the MSYS2 runtime (Git for Windows flavor) based on
Cygwin v3.6.7.
* Comes with cURL v8.19.0.
* Comes with OpenSSH v10.3.P1.
Bug Fixes
* The iconv executable, which was inadvertently dropped from Git for
Windows v2.53.0's installer, is now included again.
* In some circumstances, when typing while a still-running program is
about to terminate, the typed characters could arrive out of order
in Git Bash. This bug was fixed.
* Similar to how git clean already avoids traversing NTFS junctions,
git worktree remove now does the same.
* The number of CPU cores is now detected correctly on multi-socket
systems.
Git for Windows v2.54.0-rc0
Changes since Git for Windows v2.53.0(2) (March 10th 2026)
Due to persistent maintenance challenges, git svn is no longer included
in Git for Windows. Users who still need this command are highly
encouraged to use a Linux version of git svn via the Windows Subsystem
for Linux instead, or switch to a regular MSYS2 setup: install MSYS2,
then run the following command in the MSYS2 UCRT64 Bash: pacman -Sy
mingw-w64-ucrt-x86_64-git-svn. After that, the git svn command will be
available in that Bash. On Windows/ARM64, you will want to use the
CLANGARM64 variant instead (and install
mingw-w64-clang-aarch64-git-svn).
New Features
* Comes with Git v2.54.0-rc0.
* Comes with Bash v5.3.9.
* Comes with Git Credential Manager v2.7.2.
* Comes with MinTTY v3.8.2.
* The shell aliases in Git Bash that ensured that interpreters such
as Python and Node.JS are executed via winpty are no longer
necessary, and have therefore been dropped.
* Comes with the MSYS2 runtime (Git for Windows flavor) based on
Cygwin v3.6.7.
* Comes with cURL v8.19.0.
* Comes with OpenSSH v10.3.P1.
Bug Fixes
* The iconv executable, which was inadvertently dropped from Git for
Windows v2.53.0's installer, is now included again.
* In some circumstances, when typing while a still-running program is
about to terminate, the typed characters could arrive out of order
in Git Bash. This bug was fixed.
* Similar to how git clean already avoids traversing NTFS junctions,
git worktree remove now does the same.
Git for Windows v2.53.0(3)
Changes since Git for Windows v2.53.0(2) (March 10th 2026):
This is a security fix release, addressing CVE-2026-32631.
* CVE-2026-32631, Git for Windows: When a user clones a repository
containing symbolic links pointing to network drives, Git follows
those symlinks during checkout, causing Windows to transparently
perform NTLM authentication and disclose the user's NTLMv2 hash to
an attacker-controlled server. Since NTLM hashing is weak, the
captured hash can potentially be brute-forced to recover the user's
credentials. This is addressed by preventing git clone from
following symbolic links that point to network drives during
checkout.
MinGit for Windows v2.47.3(2)
Changes since Git for Windows v2.47.1(2) (January 14th 2025):
This is a security fix release, addressing CVE-2024-50349,
CVE-2024-52006, CVE-2025-27613, CVE-2025-27614, CVE-2025-46334,
CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386.
New Features
* Comes with Git v2.47.3.
Bug Fixes
* CVE-2025-27613, Gitk: When a user clones an untrusted repository
and runs Gitk without additional command arguments, any writable
file can be created and truncated. The option "Support per-file
encoding" must have been enabled. The operation "Show origin of
this line" is affected as well, regardless of the option being
enabled or not.
* CVE-2025-27614, Gitk: A Git repository can be crafted in such a way
that a user who has cloned the repository can be tricked into
running any script supplied by the attacker by invoking gitk
filename, where filename has a particular structure.
* CVE-2025-46334, Git GUI (Windows only): A malicious repository can
ship versions of sh.exe or typical textconv filter programs such as
astextplain. On Windows, path lookup can find such executables in
the worktree. These programs are invoked when the user selects "Git
Bash" or "Browse Files" from the menu.
* CVE-2025-46835, Git GUI: When a user clones an untrusted repository
and is tricked into editing a file located in a maliciously named
directory in the repository, then Git GUI can create and overwrite
any writable file.
* CVE-2025-48384, Git: When reading a config value, Git strips any
trailing carriage return and line feed (CRLF). When writing a
config entry, values with a trailing CR are not quoted, causing the
CR to be lost when the config is later read. When initializing a
submodule, if the submodule path contains a trailing CR, the
altered path is read resulting in the submodule being checked out
to an incorrect location. If a symlink exists that points the
altered path to the submodule hooks directory, and the submodule
contains an executable post-checkout hook, the script may be
unintentionally executed after checkout.
* CVE-2025-48385, Git: When cloning a repository Git knows to
optionally fetch a bundle advertised by the remote server, which
allows the server-side to offload parts of the clone to a CDN. The
Git client does not perform sufficient validation of the advertised
bundles, which allows the remote side to perform protocol
injection. This protocol injection can cause the client to write
the fetched bundle to a location controlled by the adversary. The
fetched content is fully controlled by the server, which can in the
worst case lead to arbitrary code execution.
* CVE-2025-48386, Git: The wincred credential helper uses a static
buffer (target) as a unique key for storing and comparing against
internal storage. This credential helper does not properly bounds
check the available space remaining in the buffer before appending
to it with wcsncat(), leading to potential buffer overflows.
Merge branch 'disallow-ntlm-auth-by-default' This topic branch addresses the following vulnerability: - **CVE-2025-66413**: When a user clones a repository from an attacker-controlled server, Git may attempt NTLM authentication and disclose the user's NTLMv2 hash to the remote server. Since NTLM hashing is weak, the captured hash can potentially be brute-forced to recover the user's credentials. This is addressed by disabling NTLM authentication by default. (GHSA-hv9c-4jm9-jh3x) Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
MinGit for Windows v2.52.0(2)
Changes since Git for Windows v2.51.2 (October 28th 2025):
As announced in several recent release notes, git svn is no longer
supported by the Git for Windows project.
New Features
* Comes with Git v2.52.0.
* Comes with PCRE2 v10.47.
* Comes with cURL v8.17.0.
* The Git for Windows installer is now built with version 6.6.0 of
InnoSetup, giving it a more modern look.
Bug Fixes
* The command git help git-bash was broken by a change in upstream
Git v2.49.0, which has been fixed.
MinGit for Windows v2.51.2(2)
Changes since Git for Windows v2.51.1 (October 17th 2025):
New Features
* Comes with Git v2.51.2.
Bug Fixes
* The default credential helper in the portable variant of Git for
Windows (credential-helper-selector) is now high DPI aware.
Git for Windows v2.53.0(2)
Changes since Git for Windows v2.53.0 (February 2nd 2026):
This is a security fix release, addressing CVE-2025-66413.
* CVE-2025-66413, Git for Windows: When a user clones a repository
from an attacker-controlled server, Git may attempt NTLM
authentication and disclose the user's NTLMv2 hash to the remote
server. Since NTLM hashing is weak, the captured hash can
potentially be brute-forced to recover the user's credentials. This
is addressed by disabling NTLM authentication by default.
PreviousNext