Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
GitPython: Malicious Git Configs Can Be Applied During Clone
DEBIAN-CVE-2026-42284
Summary
GitPython, a Python library used to interact with Git repositories, had a security issue prior to version 3.1.47. An attacker could use a specially crafted command to apply malicious Git configurations when cloning a repository. This issue has been fixed in version 3.1.47, so update your library to the latest version to stay secure.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Debian:11 | debian | python-git | All versions |
| Debian:12 | debian | python-git | All versions |
| Debian:13 | debian | python-git | All versions |
| Debian:14 | debian | python-git | All versions |
Original title
GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_option...
Original description
GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_options)). A string like "--branch main --config core.hooksPath=/x" passes validation (starts with --branch), but after split becomes ["--branch", "main", "--config", "core.hooksPath=/x"]. Git applies the config and executes attacker hooks during clone. This issue has been patched in version 3.1.47.
- https://security-tracker.debian.org/tracker/CVE-2026-42284 Vendor Advisory
Published: 7 May 2026 · Updated: 8 May 2026 · First seen: 8 May 2026