GHSA-mv93-w799-cj2w
Code Injection vulnerability in gitpython (PyPI)

Code Injection No known exploit

What is GHSA-mv93-w799-cj2w About?

This vulnerability allows for newline injection in the `section` and `option` parameters of GitPython's `set_value()` method, bypassing an incomplete patch for a previous CVE. Attackers can inject arbitrary section headers into `.git/config`, including a forged `[core]` section with a `hooksPath` pointing to an attacker-controlled directory. This can easily lead to Remote Code Execution when any git hook is triggered.

Affected Software

gitpython <3.1.50

Technical Details

The vulnerability stems from an incomplete patch for CVE-2026-42215 in GitPython 3.1.49. While the value parameter in set_value() is validated for newlines, the section and option parameters are not. These unvalidated parameters are passed directly to configparser.set(). Specifically, the git/config.py code does not validate the section argument before calling add_section(section) or super().set(section, option, value_str). This allows an attacker to inject \n characters into the section argument, for example, user]\n[core. When .git/config is written, this creates two valid section headers: [user] and [core]. By inserting [core] followed by hooksPath = /tmp/evil_hooks, an attacker can redirect Git hooks to an arbitrary directory, enabling Remote Code Execution when a Git hook is subsequently executed.

What is the Impact of GHSA-mv93-w799-cj2w?

Successful exploitation may allow attackers to achieve Remote Code Execution (RCE) on the system where the vulnerable GitPython application is running. This can lead to full system compromise, data exfiltration, or denial of service.

What is the Exploitability of GHSA-mv93-w799-cj2w?

Exploitation is relatively straightforward, requiring the ability to control the section argument passed to set_value() within a GitPython application. No prior authentication is needed if the application exposes this functionality to unauthenticated users. The attack is local, requiring access to the system where the .git/config file resides or a mechanism to trigger the vulnerable code path. Privilege requirements will be those of the user running the GitPython application. The primary risk factor is any application that uses GitPython and allows user-controlled input to influence the section or option parameters of the config writer, especially in contexts where Git hooks are frequently triggered.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for GHSA-mv93-w799-cj2w?

Available Upgrade Options

  • gitpython
    • <3.1.50 → Upgrade to 3.1.50

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to GHSA-mv93-w799-cj2w?

Similar Vulnerabilities: CVE-2026-42215 , CVE-2023-22442 , CVE-2023-22443 , CVE-2023-22444 , CVE-2023-22445

All Rights reserved 2025
Privacy Policy