Skip to main content

GitPython EUVDEUVD-2026-28412

| CVE-2026-42284 HIGH
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
2026-05-07 GitHub_M GHSA-x2qx-6953-8485
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch available
May 07, 2026 - 20:02 EUVD
Source Code Evidence Fetched
May 07, 2026 - 19:47 vuln.today
Analysis Generated
May 07, 2026 - 19:47 vuln.today
CVE Published
May 07, 2026 - 18:19 nvd
HIGH 8.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 14 pypi packages depend on gitpython (13 direct, 1 indirect)

Ecosystem-wide dependent count for version 3.1.47.

DescriptionGitHub Advisory

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_options)). A string like "--branch main --config core.hooksPath=/x" passes validation (starts with --branch), but after split becomes ["--branch", "main", "--config", "core.hooksPath=/x"]. Git applies the config and executes attacker hooks during clone. This issue has been patched in version 3.1.47.

AnalysisAI

Remote code execution in GitPython < 3.1.47 allows unauthenticated network attackers to inject malicious Git configuration during repository clone operations via crafted multi_options arguments. The _clone() method validates options before shlex.split transformation, enabling attackers to bypass unsafe option checks by embedding commands like '--config core.hooksPath=/attacker/path' within '--branch' strings. Git then executes attacker-controlled hooks during clone. Vendor-released patch available in version 3.1.47. CVSS 8.1 with high attack complexity; no EPSS or KEV data available, but public exploit code exists per GitHub security advisory GHSA-x2qx-6953-8485.

Technical ContextAI

GitPython is a Python library for programmatic interaction with Git repositories (cpe:2.3:a:gitpython-developers:gitpython). The vulnerability stems from CWE-88 (Improper Neutralization of Argument Delimiters) in the _clone() function at git/repo/base.py. The code path performs security validation on the original multi_options list, then transforms it via shlex.split(" ".join(multi_options)), and finally passes the transformed result to git clone. The validation uses startswith() checks against unsafe_git_clone_options, which cannot detect dangerous options embedded within quoted strings. For example, '--branch main --config core.hooksPath=/x' passes validation as a single string starting with '--branch', but shlex.split converts it to separate tokens ['--branch', 'main', '--config', 'core.hooksPath=/x'], allowing the --config directive to reach Git's command line. Git then applies the configuration and executes hooks from the attacker-controlled path during clone operations. The same logic flaw affects Submodule.update() via clone_multi_options parameter.

RemediationAI

Upgrade GitPython to version 3.1.47 or later immediately (pip install --upgrade GitPython==3.1.47). This version fixes the validation logic to check options after shlex.split transformation. Release notes confirm the patch at https://github.com/gitpython-developers/GitPython/releases/tag/3.1.47. If immediate upgrade is not possible, implement strict input validation to reject any multi_options strings containing whitespace or shell metacharacters - however, this workaround is complex due to legitimate use cases for quoted arguments, so upgrading is strongly preferred. Do not accept multi_options or clone_multi_options values from untrusted sources; if repository clone configuration must be user-configurable, use an allowlist of specific options (e.g., only permit '--branch <value>' with value validated against a known branch list). Note that blocking --config alone is insufficient due to other potentially dangerous options like --upload-pack. For defense-in-depth, run GitPython operations in sandboxed environments with no write access to system directories and with disabled hooks execution via Git's core.hooksPath set to /dev/null, though this mitigation may break legitimate hook-dependent workflows.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Module for Python 3 15 SP7 Affected

Share

EUVD-2026-28412 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy