cbcvebase.

Git-For-Windows Git vulnerabilities

9 known vulnerabilities affecting git-for-windows/git.

Total CVEs
9
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH7MEDIUM1LOW1

Vulnerabilities

Page 1 of 1
CVE-2022-41953P3HIGHCVSS 7.8fixed in 2.39.12023-01-17
CVE-2022-41953 [HIGH] CWE-426 CVE-2022-41953: Git GUI is a convenient graphical tool that comes with Git for Windows. Its target audience is users Git GUI is a convenient graphical tool that comes with Git for Windows. Its target audience is users who are uncomfortable with using Git on the command-line. Git GUI has a function to clone repositories. Immediately after the local clone is available, Git GUI will automatically post-process it, among other things running a spell checker called `aspel
nvd
CVE-2026-32631P3HIGHCVSS 7.4fixed in 2.53.0.windows.32026-04-15
CVE-2026-32631 [HIGH] CWE-200 CVE-2026-32631: Git for Windows is the Windows port of Git. Versions prior to 2.53.0.windows.3 do not have protectio Git for Windows is the Windows port of Git. Versions prior to 2.53.0.windows.3 do not have protections that prevent attackers from obtaining a user's NTLM hash. The NTLM hash can be obtained by tricking users into cloning a malicious repository, or checking out a malicious branch, that accesses an attacker-controlled server. By default, NTLM authentic
nvd
CVE-2023-29011P3HIGHCVSS 7.8fixed in 2.40.12023-04-25
CVE-2023-29011 [HIGH] CWE-427 CVE-2023-29011: Git for Windows, the Windows port of Git, ships with an executable called `connect.exe`, which imple Git for Windows, the Windows port of Git, ships with an executable called `connect.exe`, which implements a SOCKS5 proxy that can be used to connect e.g. to SSH servers via proxies when certain ports are blocked for outgoing connections. The location of `connect.exe`'s config file is hard-coded as `/etc/connectrc` which will typically be interpreted a
nvd
CVE-2023-23618P3HIGHCVSS 7.8fixed in 2.39.22023-02-14
CVE-2023-23618 [HIGH] CWE-426 CVE-2023-23618: Git for Windows is the Windows port of the revision control system Git. Prior to Git for Windows ver Git for Windows is the Windows port of the revision control system Git. Prior to Git for Windows version 2.39.2, when `gitk` is run on Windows, it potentially runs executables from the current directory inadvertently, which can be exploited with some social engineering to trick users into running untrusted code. A patch is available in version 2.39.2.
nvd
CVE-2022-31012P3HIGHCVSS 7.3fixed in 2.37.12022-07-12
CVE-2022-31012 [HIGH] CWE-426 CVE-2022-31012: Git for Windows is a fork of Git that contains Windows-specific patches. This vulnerability in versi Git for Windows is a fork of Git that contains Windows-specific patches. This vulnerability in versions prior to 2.37.1 lets Git for Windows' installer execute a binary into `C:\mingw64\bin\git.exe` by mistake. This only happens upon a fresh install, not when upgrading Git for Windows. A patch is included in version 2.37.1. Two workarounds are availab
nvd
CVE-2023-29012P3HIGHCVSS 7.8fixed in 2.40.12023-04-25
CVE-2023-29012 [HIGH] CWE-427 CVE-2023-29012: Git for Windows is the Windows port of Git. Prior to version 2.40.1, any user of Git CMD who starts Git for Windows is the Windows port of Git. Prior to version 2.40.1, any user of Git CMD who starts the command in an untrusted directory is impacted by an Uncontrolles Search Path Element vulnerability. Maliciously-placed `doskey.exe` would be executed silently upon running Git CMD. The problem has been patched in Git for Windows v2.40.1. As a workaro
nvd
CVE-2023-22743P3HIGHCVSS 7.3fixed in 2.39.22023-02-14
CVE-2023-22743 [HIGH] CWE-426 CVE-2023-22743: Git for Windows is the Windows port of the revision control system Git. Prior to Git for Windows ver Git for Windows is the Windows port of the revision control system Git. Prior to Git for Windows version 2.39.2, by carefully crafting DLL and putting into a subdirectory of a specific name living next to the Git for Windows installer, Windows can be tricked into side-loading said DLL. This potentially allows users with local write access to place mal
nvd
CVE-2025-66413P4MEDIUMCVSS 6.5fixed in 2.53.0(2)2026-03-10
CVE-2025-66413 [MEDIUM] CWE-200 CVE-2025-66413: Git for Windows is the Windows port of Git. Prior to 2.53.0(2), it is possible to obtain a user's NT Git for Windows is the Windows port of Git. Prior to 2.53.0(2), it is possible to obtain a user's NTLM hash by tricking them into cloning from a malicious server. Since NTLM hashing is weak, it is possible for the attacker to brute-force the user's account name and password. This vulnerability is fixed in 2.53.0(2).
nvd
CVE-2023-25815P4LOWCVSS 2.2fixed in 2.40.12023-04-25
CVE-2023-25815 [LOW] CWE-22 CVE-2023-25815: In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. A In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-code
nvd
Git-For-Windows Git vulnerabilities | cvebase