Description
GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_options)). A string like "--branch main --config core.hooksPath=/x" passes validation (starts with --branch), but after split becomes ["--branch", "main", "--config", "core.hooksPath=/x"]. Git applies the config and executes attacker hooks during clone. This issue has been patched in version 3.1.47.
Published: 2026-05-07
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw occurs in GitPython’s processing of clone options. The library validates a list of options before converting it into a string and splitting it, allowing a malicious string such as "--branch main --config core.hooksPath=/x" to pass validation. The subsequent split produces separate tokens that Git interprets as configuration changes, effectively pointing hooks to an attacker-specified directory. When the repository is cloned, Git automatically installs and runs hooks from that directory, thereby executing arbitrary code. This is a classic example of inadequate input validation (CWE‑88) that can lead to remote code execution on the machine running the clone operation.

Affected Systems

Systems using the GitPython library in any Python application are affected. The vulnerability exists in all releases prior to 3.1.47. An affected system will run Python code that invokes GitPython _clone() with the option vector passed from untrusted sources, such as user input or external repository protocols.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. EPSS data is not available, and the vulnerability is not yet listed as a known exploit in the CISA KEV catalog. Attackers with the ability to supply or influence repository URLs that are cloned by the application can exploit this flaw. The vulnerability does not require elevated privileges, so it remains a strong local or remote threat to any application that performs unrestricted clone operations.

Generated by OpenCVE AI on May 7, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GitPython to version 3.1.47 or later
  • Restrict the usage of GitPython to clone only repositories from trusted sources and validate any repository URLs before cloning
  • Configure Git to disable or tightly control hook execution, for example by setting core.hooksPath to an empty value or a trusted directory

Generated by OpenCVE AI on May 7, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x2qx-6953-8485 GitPython: Unsafe option check validates multi_options before shlex.split transformation
History

Fri, 08 May 2026 23:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Gitpython Project
Gitpython Project gitpython
CPEs cpe:2.3:a:gitpython_project:gitpython:*:*:*:*:*:python:*:*
Vendors & Products Gitpython Project
Gitpython Project gitpython

Thu, 07 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_options)). A string like "--branch main --config core.hooksPath=/x" passes validation (starts with --branch), but after split becomes ["--branch", "main", "--config", "core.hooksPath=/x"]. Git applies the config and executes attacker hooks during clone. This issue has been patched in version 3.1.47.
Title GitPython: Unsafe option check validates multi_options before shlex.split transforms it
Weaknesses CWE-88
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Gitpython Project Gitpython
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T03:56:02.927Z

Reserved: 2026-04-26T12:13:55.551Z

Link: CVE-2026-42284

cve-icon Vulnrichment

Updated: 2026-05-08T22:51:44.136Z

cve-icon NVD

Status : Modified

Published: 2026-05-07T19:16:01.783

Modified: 2026-05-08T23:16:36.250

Link: CVE-2026-42284

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:24:30Z

Weaknesses