Fluid Attacks Database

Description

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository’s .git directory via insufficient validation of reference paths in reference creation, rename, and delete operations. This issue has been patched in version 3.1.48.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	gitpython	>=0 <3.1.48	3.1.48
debian 12	python-git	=3.1.30-1 \|\| =3.1.30-1+deb12u2 \|\| =3.1.36-1 \|\| =3.1.37-1 \|\| =3.1.37-2 \|\| =3.1.37-3 \|\| =3.1.44-1 \|\| =3.1.45-1 \|\| =3.1.46-1 \|\| =3.1.50-1	-
debian 11	python-git	=3.1.14-1 \|\| =3.1.14-1+deb11u1 \|\| =3.1.23-1 \|\| =3.1.24-1 \|\| =3.1.27-1 \|\| =3.1.30-1 \|\| =3.1.36-1 \|\| =3.1.37-1 \|\| =3.1.37-2 \|\| =3.1.37-3 \|\| =3.1.44-1 \|\| =3.1.45-1 \|\| =3.1.46-1 \|\| =3.1.50-1	-
debian 13	python-git	=3.1.44-1 \|\| =3.1.45-1 \|\| =3.1.46-1 \|\| =3.1.50-1	-
debian 14	python-git	=3.1.44-1 \|\| =3.1.45-1 \|\| =3.1.46-1 \|\| >=0 <3.1.50-1	3.1.50-1

Aliases

1. CVE-2026-442432. NVD-2026-442433. OSV-2026-442434. OSV-DEBIAN-2026-442435. GHSA-7545-fcxq-7j246. GCVE-2026-442437. SECURITY-TRACKER-CVE-2026-44243

References

1. https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-7545-fcxq-7j242. https://github.com/gitpython-developers/GitPython/releases/tag/3.1.48

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.