Critical severityNVD Advisory· Published Dec 12, 2022· Updated Nov 3, 2025
Remote Code Execution (RCE)
CVE-2022-24439
Description
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
GitPythonPyPI | < 3.1.30 | 3.1.30 |
Affected products
4- gitpython/gitpythondescription
- ghsa-coords3 versionspkg:pypi/gitpythonpkg:rpm/opensuse/python3-bandit&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-GitPython&distro=openSUSE%20Tumbleweed
< 3.1.30+ 2 more
- (no CPE)range: < 3.1.30
- (no CPE)range: < 1.7.6-1.1
- (no CPE)range: < 3.1.44-1.1
Patches
Vulnerability mechanics
References
24- github.com/advisories/GHSA-hcpj-qp55-gfphghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7X/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2022-24439ghsaADVISORY
- security.gentoo.org/glsa/202311-01ghsavendor-advisoryWEB
- github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.pyghsaWEB
- github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py%23L1249ghsaWEB
- github.com/gitpython-developers/GitPython/commit/2625ed9fc074091c531c27ffcba7902771130261ghsaWEB
- github.com/gitpython-developers/GitPython/issues/1515ghsaWEB
- github.com/gitpython-developers/GitPython/releases/tag/3.1.30ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2022-42992.yamlghsaWEB
- lists.debian.org/debian-lts-announce/2023/07/msg00024.htmlghsamailing-listWEB
- lists.debian.org/debian-lts-announce/2024/10/msg00030.htmlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GHghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JNghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5RghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7XghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GHghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JNghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5RghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7XghsaWEB
- security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858ghsaWEB
News mentions
0No linked articles in our index yet.