CVE-2018-11235

CVE-2018-11235 affects Git prior to 2.17.1 (and also 2.13.7, 2.14.4, 2.15.2, 2.16.4, 2.17.1 as listed in advisories). A crafted .gitmodules file can cause directory traversal in submodule names, leading to a malicious project triggering a chain where submodule names are appended to $GIT_DIR/modul...

CVE-2021-46101

CVE-2021-46101 affects Git for Windows up to version 2.34.1. The connected Red Hat and OSV entries corroborate the description: when using git pull to update the local repository, git.cmd can be run directly. The documents do not provide further root-cause technical details, affected subcomponent...

CVE-2022-31012

Git for Windows (a Windows-specific patch set of Git) contains a vulnerability tracked as CVE-2022-31012 where the installer can mistakenly execute a binary placed at C:\mingw64\bin\git.exe during a fresh install (not during upgrades). A fix was released in version 2.37.1. Workarounds include cre...

CVE-2025-66413

CVE-2025-66413 (Git for Windows) affects the Windows port of Git prior to 2.53.0(2). The issue arises when a user is tricked into cloning from a malicious server, allowing an attacker to obtain the user’s NTLM hash. Because NTLM hashing is weak, the attacker may brute-force the user’s account nam...