GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, clone() validates multioptions as the original list, then executes shlex.split(" ".join(multi_options)). A string like "--branch main --config core.hooksPath=/x" passes validation (starts with --branch), but after split becomes ["--branch", "main", "--config", "core.hooksPath=/x"]. Git applies the config and executes attacker hooks during clone. This issue has been patched in version 3.1.47.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42284.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-88"
]
}{
"cpe": "cpe:2.3:a:gitpython_project:gitpython:*:*:*:*:*:python:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "3.1.47"
}
],
"source": [
"AFFECTED_FIELD",
"CPE_RANGE",
"REFERENCES"
]
}