Introduction
A validation order bug in GitPython allows attackers to bypass the library's built in protections against dangerous Git options, turning four commonly used API methods into vectors for arbitrary command execution. Any application that forwards user controlled kwargs to Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push() is vulnerable, even when the allow_unsafe_options parameter is left at its default value of False.
GitPython is a widely used Python library for programmatic interaction with Git repositories. It serves as a foundational dependency in CI/CD pipelines, repository management platforms, and developer tooling across the Python ecosystem. The project is currently in maintenance mode, receiving only safety relevant fixes.
Technical Information
Root Cause: Validation Order Bug in cmd.py
The vulnerability originates from a mismatch between when GitPython validates kwargs for unsafe options and when it normalizes those kwargs into command line flags.
GitPython explicitly treats Git helper command options such as --upload-pack and --receive-pack as unsafe because they can be leveraged to execute arbitrary commands on the host system. The function Git.check_unsafe_options() in git/cmd.py is responsible for blocking these options. It correctly identifies and rejects option names in their dash form: upload-pack and receive-pack.
However, GitPython also provides a separate transformation step via Git.transform_kwarg(), which converts Python style underscore kwargs into Git style dash flags. For example, upload_pack becomes --upload-pack. The critical flaw is that check_unsafe_options() runs before this dashification occurs. When a caller passes upload_pack (with an underscore), the safety check sees only the underscore form, does not recognize it as dangerous, and allows it through. The kwarg is then transformed into --upload-pack and passed directly to the Git subprocess.
Affected API Surfaces
Four core GitPython methods are affected, each with a specific dangerous kwarg mapping:
| API Method | Vulnerable Kwarg | Resulting Git Flag |
|---|---|---|
Repo.clone_from() | upload_pack | --upload-pack |
Remote.fetch() | upload_pack | --upload-pack |
Remote.pull() | upload_pack | --upload-pack |
Remote.push() | receive_pack | --receive-pack |
The distinction is straightforward: calling remote.fetch(**{"upload-pack": helper}) is correctly blocked with an UnsafeOptionError, but calling remote.fetch(upload_pack=helper) passes validation and reaches helper execution.
Attack Flow
- The attacker identifies an application that uses GitPython and passes externally influenced data into one of the four affected methods as kwargs.
- The attacker supplies a value for
upload_pack(orreceive_packfor push operations) containing a path to a malicious executable or a shell command. - GitPython's
check_unsafe_options()inspects the kwarg nameupload_pack, does not match it against the blocked list (which contains the dash form), and allows it through. transform_kwarg()convertsupload_packto--upload-packand appends the attacker controlled value.- Git executes the specified helper command, achieving arbitrary command execution on the host.
CVSS v3.1 Breakdown
The CVSS 8.8 HIGH score reflects a low barrier to exploitation with severe consequences:
| Metric | Value | Implication |
|---|---|---|
| Attack Vector | Network | Exploitable remotely |
| Attack Complexity | Low | No special conditions required |
| Privileges Required | Low | Minimal authentication needed |
| User Interaction | None | Fully automated exploitation possible |
| Confidentiality | High | Full data compromise possible |
| Integrity | High | Ability to modify repositories or artifacts |
| Availability | High | Potential to disrupt services |
Realistic Attack Surfaces
The prerequisite for exploitation is that an attacker must control a value that ends up as the upload_pack or receive_pack kwarg. This is realistic in several scenarios:
- Web applications that allow users to configure repository import behavior or mirror settings
- Systems that accept a user provided dictionary of extra Git options and pass them through to GitPython
- CI/CD systems that construct GitPython calls from untrusted integration configuration or webhook payloads
Affected Systems and Versions
GitPython versions greater than or equal to 3.1.30 and strictly less than 3.1.47 are affected. The unsafe option checking mechanism was introduced in version 3.1.30, but the validation order bug meant the protection was incomplete from the start. Version 3.1.47 resolves the issue.
Any application or service that depends on an affected GitPython version and passes externally influenced kwargs to Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push() is vulnerable, regardless of the allow_unsafe_options setting.
Multiple Linux distributions have acknowledged the vulnerability. Ubuntu has published a security advisory for CVE-2026-42215, and Fedora has pushed updates through its testing pipeline.
Vendor Security History
GitPython has a documented pattern of input validation vulnerabilities leading to remote code execution. Most notably, CVE-2022-24439 affected all versions of the package and allowed RCE through improper validation of user input, making it possible to inject a maliciously crafted remote URL into the clone command. The unsafe option checking mechanism introduced in version 3.1.30 was itself a response to this class of vulnerability, making the bypass discovered in CVE-2026-42215 particularly notable: the mitigation for the prior vulnerability class was itself incomplete.
The project is currently in maintenance mode, with the documentation stating that there will be no feature development unless contributed and no bug fixes unless they are relevant to user safety. Despite this reduced posture, the maintainers released version 3.1.47 specifically to address security issues related to bypassing injection protection of unsafe Git flags.
References
- NVD: CVE-2026-42215
- GitHub Security Advisory: GHSA-rpm5-65cw-6hj4
- GitHub Advisory Database: GHSA-rpm5-65cw-6hj4
- GitPython Release 3.1.47
- GitPython Changelog
- GitPython GitHub Repository
- Ubuntu Security Advisory: CVE-2026-42215
- Tenable Plugin: Fedora 44 GitPython
- Fedora 42 Updates Testing Report
- NVD: CVE-2022-24439 (Prior GitPython RCE)



