Gitpython Security Vulnerabilities and Issues — Gitpython CVE List

Gitpython ProjectGitpython

9 matches found

CVE•added 2022/12/12 1:49 a.m.•354 views

CVE-2022-24439

GitPython (Python library for interacting with Git) is affected by an RCE vulnerability in clone/clone_from prior to version 3.1.32 due to improper sanitization of user input in non-multi options. The issue allows injecting a malicious remote URL into the clone command because external git calls ...

9.8CVSS9AI score0.05378EPSS

CVE•added 2023/08/11 12:0 a.m.•334 views

CVE-2023-40267

GitPython vulnerability CVE-2023-40267 affects versions before 3.1.32, where insecure non-multi options in clone and clone_from are not blocked. This arises as a follow-up to an incomplete fix for CVE-2022-24439. The issue enables Remote Code Execution via crafted or insecure remote URLs used in ...

9.8CVSS9.4AI score0.00984EPSS

CVE•added 2024/01/11 1:23 a.m.•293 views

CVE-2024-22190

CVE-2024-22190 (GitPython) affects GitPython, where an incomplete fix for CVE-2023-40590 leaves an untrusted search path risk on Windows when a shell is used to run git or when bash.exe is used to interpret hooks. The issue can allow a malicious git.exe or bash.exe from an untrusted repository to...

7.8CVSS7.5AI score0.00316EPSS

CVE•added 2023/08/30 9:7 p.m.•163 views

CVE-2023-41040

CVE-2023-41040 affects the Python Git library GitPython. In some code paths, a user-supplied file name is joined with the repository’s base directory without ensuring the final path stays inside the repo’s .git area, enabling a potential blind local file access scenario. Official descriptions not...

6.5CVSS5.3AI score0.01012EPSS

CVE•added 2023/08/28 5:24 p.m.•74 views

CVE-2023-40590

GitPython (CVE-2023-40590) on Windows can execute a malicious git.exe/git in the current repository when GitPython runs git via a shell or when hooks use bash.exe, enabling arbitrary code execution. A patch exists: GitPython 3.1.41 (and advisories note this incomplete fix was addressed). Mitigati...

7.8CVSS7.4AI score0.00465EPSS

CVE•added 2026/05/07 6:22 p.m.•23 views

CVE-2026-44244

CVE-2026-44244 (GitPython) : A newline injection in config_writer().set_value() allowed an attacker-controlled core.hooksPath to be injected via an unvalidated value, enabling RCE when Git hooks run (commit, merge, checkout). GitConfigParser.set_value() passes input to configparser without newlin...

7.8CVSS5.8AI score0.00194EPSS

CVE•added 2026/05/07 6:17 p.m.•17 views

CVE-2026-42215

GitPython CVE-2026-42215: A vulnerability in GitPython allows arbitrary command execution when attacker-controlled kwargs are passed to Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push() via the Python kwargs upload_pack/receive_pack. The default unsafe-options guard (allow_unsafe...

8.8CVSS6AI score0.00719EPSS

CVE•added 2026/05/07 6:22 p.m.•17 views

CVE-2026-44243

GitPython (Python library for interacting with Git repositories) contains a path-traversal vulnerability in its reference APIs. Before version 3.1.48, attacker-controlled reference names can be used to cause writes, renames, or deletions of files outside the repository’s .git directory due to ins...

8.8CVSS5.7AI score0.00335EPSS

CVE•added 2026/05/07 6:19 p.m.•14 views

CVE-2026-42284

GitPython (Python Git library) is affected by CVE-2026-42284 due to unsafe handling of multi_options in _clone() before 3.1.47. The code validates multi_options as the original list, then performs shlex.split(" ".join(multi_options)), which can allow a crafted string like "--branch main --config ...

9.8CVSS5.7AI score0.00571EPSS