GHSA-RPM5-65CW-6HJ4: Command Injection via Git Options Bypass in GitPython

Vulnerability ID: GHSA-RPM5-65CW-6HJ4
CVSS Score: 8.8
Published: 2026-04-25

GitPython versions prior to 3.1.45 are vulnerable to a command injection flaw due to an architectural logic error in how keyword arguments are sanitized. The library attempts to block dangerous Git options like --upload-pack but performs this validation before applying Pythonic underscore-to-hyphen normalization. This allows attackers to bypass the blocklist using underscore-formatted arguments, leading to arbitrary command execution when the underlying Git binary is invoked.

TL;DR

GitPython \< 3.1.45 fails to properly filter dangerous Git options when supplied via Python keyword arguments. Attackers can bypass security checks by using underscores instead of hyphens (e.g., upload_pack instead of upload-pack), resulting in arbitrary remote code execution via the underlying Git executable.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-78: Improper Neutralization of Special Elements used in an OS Command
  • Attack Vector: Network / Context Dependent
  • Impact: Remote Code Execution (RCE)
  • CVSS Score: 8.8 (Estimated)
  • Exploit Status: Proof of Concept Available
  • Vulnerable Component: Git command wrappers (repo.git.*)

Affected Systems

  • GitPython Library
  • Agentic AI tools leveraging GitPython
  • Automated CI/CD pipelines using GitPython
  • GitPython: \< 3.1.45 (Fixed in: 3.1.45)

Exploit Details

  • Researcher Context: Proof of concept demonstrates bypassing blocklist via upload_pack kwarg to execute touch /tmp/pwned.

Mitigation Strategies

  • Upgrade GitPython to version 3.1.45 or later to implement the corrected sanitization logic.
  • Implement application-level input validation to sanitize all keyword arguments before passing them to GitPython APIs.
  • Avoid passing dynamically constructed keyword argument dictionaries (**kwargs) containing untrusted input to system wrappers.
  • Run the Python application with the principle of least privilege, restricting its file system and network access to limit post-exploitation impact.

Remediation Steps:

  1. Identify all projects and environments utilizing the GitPython library via dependency auditing tools.
  2. Update the requirements.txt, Pipfile, or pyproject.toml to specify GitPython>=3.1.45.
  3. Rebuild the application environments and execute integration tests to ensure Git operations proceed nominally.
  4. Audit the application codebase for occurrences of repo.git.<command>(**kwargs) where kwargs contains user-controlled keys, and refactor to use explicit argument passing.

References

Read the full report for GHSA-RPM5-65CW-6HJ4 on our website for more details including interactive diagrams and full exploit analysis.