Security vulnerability in Git for Cygwin

Adam Dinwoodie
Sat Apr 24 20:28:23 GMT 2021

Hi folks,

Version 2.31.1-2 of Git has been uploaded and should be coming soon to
a mirror near you.

This update addresses CVE-2021-29468, which would cause Git to
overwrite arbitrary files with attacker-controlled contents when
checking out content from a malicious repository, and in particular
would allow an attacker to overwrite Git hooks to execute arbitrary

This vulnerability is present on all Cygwin Git versions prior to
v2.31.1-2. Until you have that release, the best mitigation is to not
clone or check out from any untrusted Git repositories.

There is a small amount of additional information in the GitHub
Security Advisory at

If you compile Git on Cygwin yourself, there is currently no upstream
patch that addresses the vulnerability. Until there is, I would
recommend applying the preliminary patch at

I'd like to thank RyotaK ( / for finding and responsibly disclosing
this vulnerability, and Johannes Schindelin for helping manage the

Kind regards,


More information about the Cygwin-announce mailing list