Arbitrary code execution when checking out an attacker-controlled Git branch
Description
Cygwin Git before v2.31.1-2 allows arbitrary code execution during checkout via specially crafted repositories combining symbolic links and filenames with backslash characters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cygwin Git before v2.31.1-2 allows arbitrary code execution during checkout via specially crafted repositories combining symbolic links and filenames with backslash characters.
Vulnerability
CVE-2021-29468 is a vulnerability in Cygwin Git, a patch set for the git command-line tool on Cygwin [1]. A specially crafted repository containing symbolic links along with files that have backslash characters (\) in their file names can cause Git to overwrite arbitrary files when checking out the repository [2]. The bug is present in all Cygwin Git versions prior to v2.31.1-2 [1]. It is also present in the upstream Git source code at the time of writing [1][2].
Exploitation
An attacker can exploit this vulnerability by creating a malicious repository that includes both symbolic links and file names with backslash characters [1][2]. When a Cygwin user clones or checks out such a repository, Git processes the backslash-containing filenames in a way that, combined with symlink handling, allows attacker-controlled file contents to be written to arbitrary locations on the file system [1]. The attacker does not require authentication or special privileges; the victim simply needs to clone or pull from an untrusted repository [1][2].
Impact
Successful exploitation enables the attacker to execute arbitrary code as soon as the repository is checked out [1][2]. Specifically, an attacker can overwrite Git hooks (scripts that run automatically during Git operations) to achieve code execution in the context of the user performing the checkout [1]. This is a critical-severity issue because it bypasses the expected sandboxing of Git operations, leading to full compromise of the user's system.
Mitigation
The vulnerability is fixed in Cygwin Git v2.31.1-2, released on April 24, 2021 [1][2]. Users should update to this version or later immediately. For those compiling Git on Cygwin from upstream sources, a manual patch is available at https://github.com/me-and/Cygwin-Git/blob/main/check-backslash-safety.patch [1][2]. As a workaround until patched, users should avoid cloning or pulling from repositories that are not trusted [1][2]. No known exploitation in the wild has been reported at the time of disclosure. CVE-2019-1354 was a similar vulnerability affecting Git for Windows and Visual Studio [1][2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- me-and/Cygwin-Gitv5Range: < 2.31.1-2
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4- cygwin.com/pipermail/cygwin-announce/2021-April/010018.htmlmitrex_refsource_MISC
- github.com/me-and/Cygwin-Git/blob/main/check-backslash-safety.patchmitrex_refsource_MISC
- github.com/me-and/Cygwin-Git/security/advisories/GHSA-rmp3-wq55-f557mitrex_refsource_CONFIRM
- lore.kernel.org/git/CA+kUOa=juEdBMVr_gyTKjz7PkPt2DZHkXQyzcQmAWCsEHC_ssw%40mail.gmail.com/T/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.