Fluid Attacks Database

Description

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. GitPython's own _write() converts embedded newlines into indented continuation lines (e.g. \n becomes \n\t), but Git still accepts an indented [core] stanza as a section header — so the injected core.hooksPath becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path. This issue has been patched in version 3.1.49.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	gitpython	>=0 <3.1.49	3.1.49
debian 11	python-git	=3.1.14-1 \|\| =3.1.14-1+deb11u1 \|\| =3.1.23-1 \|\| =3.1.24-1 \|\| =3.1.27-1 \|\| =3.1.30-1 \|\| =3.1.36-1 \|\| =3.1.37-1 \|\| =3.1.37-2 \|\| =3.1.37-3 \|\| =3.1.44-1 \|\| =3.1.45-1 \|\| =3.1.46-1 \|\| =3.1.50-1	-
debian 12	python-git	=3.1.30-1 \|\| =3.1.30-1+deb12u2 \|\| =3.1.36-1 \|\| =3.1.37-1 \|\| =3.1.37-2 \|\| =3.1.37-3 \|\| =3.1.44-1 \|\| =3.1.45-1 \|\| =3.1.46-1 \|\| =3.1.50-1	-
debian 13	python-git	=3.1.44-1 \|\| =3.1.45-1 \|\| =3.1.46-1 \|\| =3.1.50-1	-
debian 14	python-git	=3.1.44-1 \|\| =3.1.45-1 \|\| =3.1.46-1 \|\| >=0 <3.1.50-1	3.1.50-1

Aliases

1. CVE-2026-442442. NVD-2026-442443. OSV-2026-442444. OSV-DEBIAN-2026-442445. GHSA-v87r-6q3f-2j676. GCVE-2026-442447. SECURITY-TRACKER-CVE-2026-44244

References

1. https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-v87r-6q3f-2j672. https://github.com/gitpython-developers/GitPython/releases/tag/3.1.49