gitpython 0.3.0-beta2

Direct Vulnerabilities

Known vulnerabilities in the gitpython package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Command Injection GitPython is a python library used to interact with Git repositories Affected versions of this package are vulnerable to Command Injection via the `set_value` function when the `section` parameter is not properly validated for newline characters. An attacker can execute arbitrary code by injecting malicious section headers into the `.git/config` file, which can redirect `core.hooksPath` to an attacker-controlled directory and trigger execution when a git hook runs. Note: This vulnerability bypasses the patch for CVE-2026-42215. How to fix Command Injection? Upgrade `GitPython` to version 3.1.50 or higher.	[,3.1.50)
H Arbitrary Code Injection GitPython is a python library used to interact with Git repositories Affected versions of this package are vulnerable to Arbitrary Code Injection via the `set_value` function. An attacker can achieve arbitrary code execution by injecting newline characters into configuration values, which allows the creation of malicious Git configuration entries such as `core.hooksPath`. This enables execution of attacker-controlled scripts during Git operations that invoke hooks. How to fix Arbitrary Code Injection? Upgrade `GitPython` to version 3.1.49 or higher.	[,3.1.49)
H Directory Traversal GitPython is a python library used to interact with Git repositories Affected versions of this package are vulnerable to Directory Traversal through insufficient validation of reference paths in the creation, renaming, and deletion. An attacker can write, overwrite, move, or delete files outside the intended directory by supplying crafted reference paths to the relevant APIs. How to fix Directory Traversal? Upgrade `GitPython` to version 3.1.48 or higher.	[,3.1.48)
C Arbitrary Argument Injection GitPython is a python library used to interact with Git repositories Affected versions of this package are vulnerable to Arbitrary Argument Injection in the `multi_options` parameter of the `_clone` function, which may be passed in via the `clone_from()`, `clone()`, or `Submodule.update()` functions. An attacker can execute arbitrary code by supplying specially crafted input that manipulates Git configuration options, leading to the execution of malicious hooks during cloning. How to fix Arbitrary Argument Injection? Upgrade `GitPython` to version 3.1.47 or higher.	[,3.1.47)
H Untrusted Search Path GitPython is a python library used to interact with Git repositories Affected versions of this package are vulnerable to Untrusted Search Path via the use of an untrusted search path on Windows. An attacker can execute arbitrary code by placing a malicious `git.exe` or `bash.exe` in the current directory, which may then be executed instead of the legitimate binaries when certain GitPython features are used. Notes: This is a completion of the fix for CVE-2023-40590. When GitPython runs `git` directly rather than through a shell, the GitPython process performs the path search, and omits the current directory by setting `NoDefaultCurrentDirectoryInExePath` in its own environment during the `Popen` call. GitPython sets the subprocess CWD to the root of a repository's working tree. Using a shell will run a malicious git.exe in an untrusted repository even if GitPython itself is run from a trusted location. This also applies if `git.execute` is called directly with `shell=True` or after `git.USE_SHELL = True`, to run any command. On Windows, GitPython uses bash.exe to run hooks that appear to be scripts. However, unlike when running git, no steps are taken to avoid finding and running bash.exe in the current directory. While bash.exe is a shell, this is a separate scenario from when git is run using the unrelated Windows cmd.exe shell. How to fix Untrusted Search Path? Upgrade `GitPython` to version 3.1.41 or higher.	[,3.1.41)
M Directory Traversal GitPython is a python library used to interact with Git repositories Affected versions of this package are vulnerable to Directory Traversal due to improper validation of the final path. Although this vulnerability cannot be used to read the contents of files, it could potentially be used to trigger a denial of service for the program. How to fix Directory Traversal? Upgrade `GitPython` to version 3.1.35 or higher.	[,3.1.35)
H Untrusted Search Path GitPython is a python library used to interact with Git repositories Affected versions of this package are vulnerable to Untrusted Search Path allowing an attacker to run any arbitrary commands through a downloaded repository with a malicious git executable. Note: This vulnerability affects only Windows systems. How to fix Untrusted Search Path? Upgrade `GitPython` to version 3.1.33 or higher.	[,3.1.33)
C Remote Code Execution (RCE) GitPython is a python library used to interact with Git repositories Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to an improper fix for CVE-2022-24439, which allows insecure non-multi options in `clone` and `clone_from`. How to fix Remote Code Execution (RCE)? Upgrade `GitPython` to version 3.1.32 or higher.	[,3.1.32)
H Remote Code Execution (RCE) GitPython is a python library used to interact with Git repositories Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to `git` without sufficient sanitization of input arguments. This is only relevant when enabling the `ext` transport protocol. How to fix Remote Code Execution (RCE)? Upgrade `GitPython` to version 3.1.30 or higher.	[0,3.1.30)
M Regular Expression Denial of Service (ReDoS) GitPython is a python library used to interact with Git repositories Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when a user controls the input passed to the pattern matching function. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `GitPython` to version 3.1.27 or higher.	[,3.1.27)

Vulnerability

Vulnerable Version

Command Injection

GitPython is a python library used to interact with Git repositories

Affected versions of this package are vulnerable to Command Injection via the set_value function when the section parameter is not properly validated for newline characters. An attacker can execute arbitrary code by injecting malicious section headers into the .git/config file, which can redirect core.hooksPath to an attacker-controlled directory and trigger execution when a git hook runs.

Note: This vulnerability bypasses the patch for CVE-2026-42215.

How to fix Command Injection?

Upgrade GitPython to version 3.1.50 or higher.

[,3.1.50)

Arbitrary Code Injection

GitPython is a python library used to interact with Git repositories

Affected versions of this package are vulnerable to Arbitrary Code Injection via the set_value function. An attacker can achieve arbitrary code execution by injecting newline characters into configuration values, which allows the creation of malicious Git configuration entries such as core.hooksPath. This enables execution of attacker-controlled scripts during Git operations that invoke hooks.

How to fix Arbitrary Code Injection?

Upgrade GitPython to version 3.1.49 or higher.

[,3.1.49)

Directory Traversal

GitPython is a python library used to interact with Git repositories

Affected versions of this package are vulnerable to Directory Traversal through insufficient validation of reference paths in the creation, renaming, and deletion. An attacker can write, overwrite, move, or delete files outside the intended directory by supplying crafted reference paths to the relevant APIs.

How to fix Directory Traversal?

Upgrade GitPython to version 3.1.48 or higher.

[,3.1.48)

Arbitrary Argument Injection

GitPython is a python library used to interact with Git repositories

Affected versions of this package are vulnerable to Arbitrary Argument Injection in the multi_options parameter of the _clone function, which may be passed in via the clone_from(), clone(), or Submodule.update() functions. An attacker can execute arbitrary code by supplying specially crafted input that manipulates Git configuration options, leading to the execution of malicious hooks during cloning.

How to fix Arbitrary Argument Injection?

Upgrade GitPython to version 3.1.47 or higher.

[,3.1.47)

Untrusted Search Path

GitPython is a python library used to interact with Git repositories

Affected versions of this package are vulnerable to Untrusted Search Path via the use of an untrusted search path on Windows. An attacker can execute arbitrary code by placing a malicious git.exe or bash.exe in the current directory, which may then be executed instead of the legitimate binaries when certain GitPython features are used.

Notes:

This is a completion of the fix for CVE-2023-40590.
When GitPython runs git directly rather than through a shell, the GitPython process performs the path search, and omits the current directory by setting NoDefaultCurrentDirectoryInExePath in its own environment during the Popen call.
GitPython sets the subprocess CWD to the root of a repository's working tree. Using a shell will run a malicious git.exe in an untrusted repository even if GitPython itself is run from a trusted location. This also applies if git.execute is called directly with shell=True or after git.USE_SHELL = True, to run any command.
On Windows, GitPython uses bash.exe to run hooks that appear to be scripts. However, unlike when running git, no steps are taken to avoid finding and running bash.exe in the current directory. While bash.exe is a shell, this is a separate scenario from when git is run using the unrelated Windows cmd.exe shell.

How to fix Untrusted Search Path?

Upgrade GitPython to version 3.1.41 or higher.

[,3.1.41)

Directory Traversal

GitPython is a python library used to interact with Git repositories

Affected versions of this package are vulnerable to Directory Traversal due to improper validation of the final path. Although this vulnerability cannot be used to read the contents of files, it could potentially be used to trigger a denial of service for the program.

How to fix Directory Traversal?

Upgrade GitPython to version 3.1.35 or higher.

[,3.1.35)

Untrusted Search Path

GitPython is a python library used to interact with Git repositories

Affected versions of this package are vulnerable to Untrusted Search Path allowing an attacker to run any arbitrary commands through a downloaded repository with a malicious git executable.

Note: This vulnerability affects only Windows systems.

How to fix Untrusted Search Path?

Upgrade GitPython to version 3.1.33 or higher.

[,3.1.33)

Remote Code Execution (RCE)

GitPython is a python library used to interact with Git repositories

Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to an improper fix for CVE-2022-24439, which allows insecure non-multi options in clone and clone_from.

How to fix Remote Code Execution (RCE)?

Upgrade GitPython to version 3.1.32 or higher.

[,3.1.32)

Remote Code Execution (RCE)

GitPython is a python library used to interact with Git repositories

Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. This is only relevant when enabling the ext transport protocol.

How to fix Remote Code Execution (RCE)?

Upgrade GitPython to version 3.1.30 or higher.

[0,3.1.30)

Regular Expression Denial of Service (ReDoS)

GitPython is a python library used to interact with Git repositories

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when a user controls the input passed to the pattern matching function.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade GitPython to version 3.1.27 or higher.

[,3.1.27)

gitpython@0.3.0-beta2

GitPython is a Python library used to interact with Git repositories

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically