Remote code execution in Binderhub
Description
A remote code execution vulnerability in BinderHub allows attackers to run arbitrary commands by crafting malicious git references.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote code execution vulnerability in BinderHub allows attackers to run arbitrary commands by crafting malicious git references.
Vulnerability
A remote code execution vulnerability exists in BinderHub, a Kubernetes-based service for sharing reproducible interactive computing environments. The flaw resides in the GitRepoProvider class within binderhub/repoproviders.py. The git ls-remote command is called without using -- to separate options from positional arguments, allowing an attacker to inject additional command-line options by providing maliciously crafted input as the unresolved ref. Affected versions are those prior to 0.2.0-n653 [1][2].
Exploitation
An attacker needs only to provide a crafted repository URL or reference that includes injected options for the git ls-remote command. Since the user-supplied input is not properly sanitized, the attacker can pass arbitrary flags to git ls-remote, potentially executing arbitrary commands. No authentication is required, as the vulnerability is triggered during the normal repository resolution process when BinderHub processes a user-provided repository specification [1][2].
Impact
Successful exploitation allows an attacker to execute arbitrary code in the BinderHub context. This can lead to exfiltration of sensitive credentials, including JupyterHub API tokens, Kubernetes service accounts, and Docker registry credentials. An attacker could then manipulate images and user-created pods in the deployment, with the potential for privilege escalation to the host depending on the underlying Kubernetes configuration. The confidentiality, integrity, and availability of the deployment are all at risk [1][2].
Mitigation
Users should update to version 0.2.0-n653, which includes the fix. The patch inserts -- before the positional arguments in the git ls-remote command, preventing option injection [2]. For users unable to upgrade, a workaround is to disable the git repo provider by setting the BinderHub.repo_providers configuration to exclude GitRepoProvider [1][3]. No EOL status or KEV listing has been reported.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
binderhubPyPI | < 0.2.0 | 0.2.0 |
Affected products
2Patches
1195caac17269Explicitly separate git-ls-remote options from positional arguments
1 file changed · +1 −1
binderhub/repoproviders.py+1 −1 modified@@ -484,7 +484,7 @@ async def get_resolved_ref(self): self.sha1_validate(self.unresolved_ref) except ValueError: # The ref is a head/tag and we resolve it using `git ls-remote` - command = ["git", "ls-remote", self.repo, self.unresolved_ref] + command = ["git", "ls-remote", "--", self.repo, self.unresolved_ref] result = subprocess.run(command, universal_newlines=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) if result.returncode: raise RuntimeError("Unable to run git ls-remote to get the `resolved_ref`: {}".format(result.stderr))
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-9jjr-qqfp-ppwxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-39159ghsaADVISORY
- github.com/jupyterhub/binderhub/commit/195caac172690456dcdc8cc7a6ca50e05abf8182ghsaWEB
- github.com/jupyterhub/binderhub/commit/195caac172690456dcdc8cc7a6ca50e05abf8182.patchghsax_refsource_MISCWEB
- github.com/jupyterhub/binderhub/security/advisories/GHSA-9jjr-qqfp-ppwxghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/binderhub/PYSEC-2021-371.yamlghsaWEB
News mentions
0No linked articles in our index yet.