DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-X2QX-6953-8485: GHSA-x2qx-6953-8485: Argument Injection via Insecure Transformation in GitPython

#security #cve #cybersecurity #ghsa

GHSA-x2qx-6953-8485: Argument Injection via Insecure Transformation in GitPython

Vulnerability ID: GHSA-X2QX-6953-8485
CVSS Score: 8.8
Published: 2026-04-25

GitPython versions prior to 3.1.44 contain a high-severity vulnerability in the handling of the multi_options parameter during repository clone operations. An insecure string transformation bypasses initial input validation, allowing attackers to inject arbitrary arguments into the underlying Git command and achieve remote code execution.

TL;DR

Argument injection in GitPython's _clone() method allows arbitrary code execution. The flaw stems from validating a list of arguments, converting them to a single string, and re-parsing them with shlex.split(), which alters the argument structure and bypasses checks.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-88: Improper Neutralization of Argument Delimiters
  • Attack Vector: Network
  • Impact: Remote Code Execution (RCE)
  • CVSS Score: 8.8
  • Exploit Status: Proof-of-Concept
  • Component: git/repo/base.py (_clone)

Affected Systems

  • GitPython
  • GitPython: < 3.1.44 (Fixed in: 3.1.44)

Code Analysis

Commit: 26c6985

Fix argument injection vulnerability via insecure transformation in _clone method.

Mitigation Strategies

  • Update GitPython to version 3.1.44 or newer.
  • Implement strict allow-listing for any user input passed to Git commands.
  • Avoid passing untrusted input to the multi_options parameter.
  • Run the application with least privilege to limit the impact of arbitrary command execution.

Remediation Steps:

  1. Identify all repositories utilizing the GitPython dependency.
  2. Audit application source code for calls to Repo.clone_from() and _clone().
  3. Verify the source of data populating the multi_options parameter.
  4. Upgrade the GitPython package via pip install --upgrade GitPython.
  5. Deploy the updated application to staging environments for regression testing.
  6. Release the patched application to production environments.

References

Read the full report for GHSA-X2QX-6953-8485 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)