GitPython: Command injection via Git options bypass_CVE-2026-42215

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs upload_pack and receive_pack bypass that check. If an application passes attacker-controlled kwargs into Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push(), this leads to arbitrary command execution even when allow_unsafe_options is left at its default value of False. This issue has been patched in version 3.1.47.

AI Analysis

Command injection via Git options bypass in GitPython

Basic Information

ID CVE-2026-42215

Source GitHub_M

Published May 7, 2026 at 18:17

Affected Product

Vendor gitpython-developers

Product GitPython

Version >= 3.1.30, < 3.1.47

Affected Versions gitpython-developers GitPython >= 3.1.30, < 3.1.47

CWE Classification

CWE-78

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor GitPython Developers

Product GitPython

Version 3.1.30-3.1.46

References

{
    "lastseen": "",
    "description": "GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs upload_pack and receive_pack bypass that check. If an application passes attacker-controlled kwargs into Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push(), this leads to arbitrary command execution even when allow_unsafe_options is left at its default value of False. This issue has been patched in version 3.1.47.",
    "published": "2026-05-07T18:17:03.194Z",
    "modified": "2026-05-07T18:17:03.194Z",
    "type": "cve",
    "title": "GitPython: Command injection via Git options bypass",
    "source": "GitHub_M",
    "references": "https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-rpm5-65cw-6hj4\nhttps://github.com/gitpython-developers/GitPython/releases/tag/3.1.47",
    "id": "CVE-2026-42215",
    "bulletinFamily": "",
    "cwe": [
        "CWE-78"
    ],
    "cvelist": null,
    "sourceData": "gitpython-developers GitPython >= 3.1.30, < 3.1.47",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "GitPython",
    "version": ">= 3.1.30, < 3.1.47",
    "vendor": "gitpython-developers",
    "ai_description": "Command injection via Git options bypass in GitPython",
    "ai_severity": "High",
    "ai_vendor": "GitPython Developers",
    "ai_product": "GitPython",
    "ai_version": "3.1.30-3.1.46",
    "ai_score": 8.8
}