PyPI package
gitpython
pkg:pypi/gitpython
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44244 | Hig | 7.8 | < 3.1.49 | 3.1.49 | May 7, 2026 | GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. GitPython's own _write() converts embedded newlines into indented continuation lines | |
| CVE-2026-44243 | Hig | 7.1 | < 3.1.48 | 3.1.48 | May 7, 2026 | GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository | |
| CVE-2026-42284 | Hig | 8.1 | < 3.1.47 | 3.1.47 | May 7, 2026 | GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_options)). A string like "--branch main --config core.hooksPath=/x" passes validation (st | |
| CVE-2026-42215 | Hig | 8.8 | >= 3.1.30, < 3.1.47 | 3.1.47 | May 7, 2026 | GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs upload_pack and receive_pack bypass tha | |
| CVE-2024-22190 | — | < 3.1.41 | 3.1.41 | Jan 11, 2024 | GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those feat | ||
| CVE-2023-41040 | — | < 3.1.37 | 3.1.37 | Aug 30, 2023 | GitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the `.git` directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located | ||
| CVE-2023-40590 | — | < 3.1.33 | 3.1.33 | Aug 28, 2023 | GitPython is a python library used to interact with Git repositories. When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment. GitPython defaults to use the `git` command, if a user runs GitPython from a repo has a `gi | ||
| CVE-2023-40267 | — | < 3.1.32 | 3.1.32 | Aug 11, 2023 | GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439. | ||
| CVE-2022-24439 | — | < 3.1.30 | 3.1.30 | Dec 12, 2022 | All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes ex |
- affected < 3.1.49fixed 3.1.49
GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. GitPython's own _write() converts embedded newlines into indented continuation lines
- affected < 3.1.48fixed 3.1.48
GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository
- affected < 3.1.47fixed 3.1.47
GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_options)). A string like "--branch main --config core.hooksPath=/x" passes validation (st
- affected >= 3.1.30, < 3.1.47fixed 3.1.47
GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs upload_pack and receive_pack bypass tha
- CVE-2024-22190Jan 11, 2024affected < 3.1.41fixed 3.1.41
GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those feat
- CVE-2023-41040Aug 30, 2023affected < 3.1.37fixed 3.1.37
GitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the `.git` directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located
- CVE-2023-40590Aug 28, 2023affected < 3.1.33fixed 3.1.33
GitPython is a python library used to interact with Git repositories. When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment. GitPython defaults to use the `git` command, if a user runs GitPython from a repo has a `gi
- CVE-2023-40267Aug 11, 2023affected < 3.1.32fixed 3.1.32
GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.
- CVE-2022-24439Dec 12, 2022affected < 3.1.30fixed 3.1.30
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes ex