CVE-2026-42215: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in gitpython-developers GitPython
GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs upload_pack and receive_pack bypass that check. If an application passes attacker-controlled kwargs into Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push(), this leads to arbitrary command execution even when allow_unsafe_options is left at its default value of False. This issue has been patched in version 3.1.47.
AI Analysis
Technical Summary
GitPython is a Python library for interacting with Git repositories. Versions 3.1.30 through 3.1.46 block dangerous Git options like --upload-pack and --receive-pack by default. However, the equivalent Python keyword arguments upload_pack and receive_pack bypass this blocking mechanism. If an application passes attacker-controlled values for these kwargs into methods such as Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push(), it can result in arbitrary OS command execution even when allow_unsafe_options is set to False. This vulnerability is identified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The issue has been patched in GitPython version 3.1.47.
Potential Impact
Successful exploitation allows an attacker with the ability to control certain method arguments in GitPython to execute arbitrary OS commands on the host system. This can lead to full compromise of confidentiality, integrity, and availability of the affected system. The CVSS v3.1 base score is 8.8, indicating high severity with network attack vector, low attack complexity, and no user interaction required.
Mitigation Recommendations
Upgrade GitPython to version 3.1.47 or later, where this vulnerability has been patched. Until upgrading, avoid passing untrusted or attacker-controlled input into the upload_pack and receive_pack keyword arguments of Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push() methods. Patch status is confirmed by the vendor advisory indicating the fix in version 3.1.47.
CVE-2026-42215: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in gitpython-developers GitPython
Description
GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs upload_pack and receive_pack bypass that check. If an application passes attacker-controlled kwargs into Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push(), this leads to arbitrary command execution even when allow_unsafe_options is left at its default value of False. This issue has been patched in version 3.1.47.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
GitPython is a Python library for interacting with Git repositories. Versions 3.1.30 through 3.1.46 block dangerous Git options like --upload-pack and --receive-pack by default. However, the equivalent Python keyword arguments upload_pack and receive_pack bypass this blocking mechanism. If an application passes attacker-controlled values for these kwargs into methods such as Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push(), it can result in arbitrary OS command execution even when allow_unsafe_options is set to False. This vulnerability is identified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The issue has been patched in GitPython version 3.1.47.
Potential Impact
Successful exploitation allows an attacker with the ability to control certain method arguments in GitPython to execute arbitrary OS commands on the host system. This can lead to full compromise of confidentiality, integrity, and availability of the affected system. The CVSS v3.1 base score is 8.8, indicating high severity with network attack vector, low attack complexity, and no user interaction required.
Mitigation Recommendations
Upgrade GitPython to version 3.1.47 or later, where this vulnerability has been patched. Until upgrading, avoid passing untrusted or attacker-controlled input into the upload_pack and receive_pack keyword arguments of Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push() methods. Patch status is confirmed by the vendor advisory indicating the fix in version 3.1.47.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-25T05:04:37.028Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fcdf2dcbff5d86101f12f1
Added to database: 5/7/2026, 6:51:25 PM
Last enriched: 5/7/2026, 7:06:53 PM
Last updated: 5/8/2026, 10:40:37 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.