Fluid Attacks Database

Description

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_options)). A string like "--branch main --config core.hooksPath=/x" passes validation (starts with --branch), but after split becomes ["--branch", "main", "--config", "core.hooksPath=/x"]. Git applies the config and executes attacker hooks during clone. This issue has been patched in version 3.1.47.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	gitpython	>=0 <3.1.47	3.1.47
debian 11	python-git	=3.1.14-1 \|\| =3.1.14-1+deb11u1 \|\| =3.1.23-1 \|\| =3.1.24-1 \|\| =3.1.27-1 \|\| =3.1.30-1 \|\| =3.1.36-1 \|\| =3.1.37-1 \|\| =3.1.37-2 \|\| =3.1.37-3 \|\| =3.1.44-1 \|\| =3.1.45-1 \|\| =3.1.46-1 \|\| =3.1.50-1	-
debian 13	python-git	=3.1.44-1 \|\| =3.1.45-1 \|\| =3.1.46-1 \|\| =3.1.50-1	-
debian 14	python-git	=3.1.44-1 \|\| =3.1.45-1 \|\| =3.1.46-1 \|\| >=0 <3.1.50-1	3.1.50-1
debian 12	python-git	=3.1.30-1 \|\| =3.1.30-1+deb12u2 \|\| =3.1.36-1 \|\| =3.1.37-1 \|\| =3.1.37-2 \|\| =3.1.37-3 \|\| =3.1.44-1 \|\| =3.1.45-1 \|\| =3.1.46-1 \|\| =3.1.50-1	-

Aliases

1. CVE-2026-422842. NVD-2026-422843. OSV-2026-422844. OSV-DEBIAN-2026-422845. GHSA-x2qx-6953-84856. GCVE-2026-422847. SECURITY-TRACKER-CVE-2026-42284

References

1. https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-x2qx-6953-84852. https://github.com/gitpython-developers/GitPython/releases/tag/3.1.47