Fluid Attacks Database

Description

GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs upload_pack and receive_pack bypass that check. If an application passes attacker-controlled kwargs into Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push(), this leads to arbitrary command execution even when allow_unsafe_options is left at its default value of False. This issue has been patched in version 3.1.47.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	gitpython	>=3.1.30 <3.1.47	3.1.47
debian 13	python-git	=3.1.44-1 \|\| =3.1.45-1 \|\| =3.1.46-1 \|\| =3.1.50-1	-
debian 12	python-git	=3.1.30-1 \|\| =3.1.30-1+deb12u2 \|\| =3.1.36-1 \|\| =3.1.37-1 \|\| =3.1.37-2 \|\| =3.1.37-3 \|\| =3.1.44-1 \|\| =3.1.45-1 \|\| =3.1.46-1 \|\| =3.1.50-1	-
debian 11	python-git	=3.1.14-1 \|\| =3.1.14-1+deb11u1 \|\| =3.1.23-1 \|\| =3.1.24-1 \|\| =3.1.27-1 \|\| =3.1.30-1 \|\| =3.1.36-1 \|\| =3.1.37-1 \|\| =3.1.37-2 \|\| =3.1.37-3 \|\| =3.1.44-1 \|\| =3.1.45-1 \|\| =3.1.46-1 \|\| =3.1.50-1	-
debian 14	python-git	=3.1.44-1 \|\| =3.1.45-1 \|\| =3.1.46-1 \|\| >=0 <3.1.50-1	3.1.50-1

Aliases

1. CVE-2026-422152. NVD-2026-422153. OSV-2026-422154. OSV-DEBIAN-2026-422155. GHSA-rpm5-65cw-6hj46. GCVE-2026-422157. SECURITY-TRACKER-CVE-2026-42215

References

1. https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-rpm5-65cw-6hj42. https://github.com/gitpython-developers/GitPython/releases/tag/3.1.47