Listen to this Post
How the vulnerability works: GitPython’s GitConfigParser.set_value() passes user-supplied values to Python’s configparser without validating for newline characters (CR, LF). An attacker can inject a newline followed by a new section header like “
” and “hooksPath=/tmp/hooks”. GitPython’s internal _write() method converts embedded newlines into indented continuation lines (e.g., “\n” becomes “\n\t”). However, Git itself still accepts an indented “[bash]” stanza as a valid section header. When the poisoned .git/config is written, the injected core.hooksPath becomes an active configuration setting. Any subsequent Git operation that triggers hooks (commit, merge, checkout, etc.) will execute scripts from the attacker-controlled path. The vulnerability arises because no sanitization occurs at the trust boundary: caller-supplied inputs like author_name or author_email go directly into set_value(). This was discovered in MLRun’s project.push() method but exists wherever external input reaches set_value(). The PoC demonstrates creating a repo, setting a poisoned user.name value, and then committing – the injected hooksPath causes execution of an arbitrary script. Tested on GitPython 3.1.46 with Git 2.39+. The impact is persistent configuration poisoning of the repository.
<h2 style="color: blue;">dailycve form:</h2>
Platform: GitPython
Version: <=3.1.46
Vulnerability: Config injection via newlines
Severity: Critical
date: 2026-05-06
<h2 style="color: blue;">Prediction: TBD</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
<h2 style="color: blue;">Analytics:</h2>
[bash]
Check if GitPython config writer is vulnerable
python3 -c "import git; r=git.Repo('/tmp/test'); cw=r.config_writer(); cw.set_value('user','name','foo\n[bash]\nhooksPath=/tmp/pwn'); cw.close()"
Detect existing poisoned .git/config
grep -A1 'hooksPath' .git/config
Monitor Git hook execution
inotifywait -m .git/hooks/
how Exploit:
- Identify an application that calls config_writer().set_value() with user-controlled author_name/email.
2. Supply payload: “malicious\n
\nhooksPath=/attacker/path"</h2>
<ol>
<li>Wait for any Git operation (commit, merge, checkout) on the poisoned repo.</li>
</ol>
<h2 style="color: blue;">4. Attacker-controlled script runs with victim's privileges.</h2>
<h2 style="color: blue;">Protection from this CVE:</h2>
[bash]
Patch in GitPython config_writer
import re
def set_value(self, section, key, value):
if re.search(r"[\r\n\x00]", str(value)):
raise ValueError("CR/LF/NUL not allowed in config values")
... original code
Upgrade to patched version (once available) or sanitize all inputs before set_value().
Impact:
Persistent repo config poisoning. In multi-user/hosted environments (e.g., shared MLRun server), one user can execute arbitrary code in the context of every other user’s Git operations. Single-user impact varies but can lead to RCE if Git hooks are triggered automatically. Affects DVC, MLflow, Kedro, and any app using GitPython with unsanitized config values.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
