Description
GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. GitPython's own _write() converts embedded newlines into indented continuation lines (e.g. \n becomes \n\t), but Git still accepts an indented [core] stanza as a section header — so the injected core.hooksPath becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path. This issue has been patched in version 3.1.49.
Published: 2026-05-07
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitPython, a Python library for Git interactions, allows an attacker to inject newlines into configuration values via the set_value() function. The injected newlines are not properly validated by Python's configparser, leading to an unintended core.hooksPath entry. When Git executes hooks during operations such as commit or merge, scripts located at the attacker‑controlled path are run, giving full code‑execution capability. The weakness is a code‑injection flaw classified as CWE‑94 and carries a CVSS score of 7.8.

Affected Systems

Any installation of GitPython earlier than version 3.1.49, distributed by the GitPython developers, is affected. The vulnerability is tied to the library’s configuration handling and applies to all environments that use GitPython to perform Git operations.

Risk and Exploitability

With a high CVSS score of 7.8, the vulnerability represents a serious threat. No EPSS value is available, making it unclear how frequently this is exploited, but the fact that the flaw leads to RCE means even a low exploitation probability can be unacceptable. The attack is most likely delivered by an attacker who has write access to a repository's configuration or can influence the creation of a GitPython‑based script. No conditional prerequisites beyond the use of GitPython are stated, and the flaw is not listed in the CISA KEV catalog at present.

Generated by OpenCVE AI on May 7, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GitPython to version 3.1.49 or later, which validates configuration values and removes the injection vector
  • Ensure that any user‑controlled or downloaded scripts are stored outside the core.hooksPath directory or that hooks execution is disabled in your environment
  • Review and restrict the permissions of directories used by GitPython when performing Git operations to limit the impact of any remaining configuration changes

Generated by OpenCVE AI on May 7, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v87r-6q3f-2j67 GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath
History

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Gitpython Project
Gitpython Project gitpython
Vendors & Products Gitpython Project
Gitpython Project gitpython

Thu, 07 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. GitPython's own _write() converts embedded newlines into indented continuation lines (e.g. \n becomes \n\t), but Git still accepts an indented [core] stanza as a section header — so the injected core.hooksPath becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path. This issue has been patched in version 3.1.49.
Title GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Gitpython Project Gitpython
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T03:56:04.115Z

Reserved: 2026-05-05T16:33:55.844Z

Link: CVE-2026-44244

cve-icon Vulnrichment

Updated: 2026-05-07T20:08:36.502Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-07T19:16:02.357

Modified: 2026-05-07T21:16:30.283

Link: CVE-2026-44244

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:24:29Z

Weaknesses