GHSA-RPM5-65CW-6HJ4: Command Injection via Git Options Bypass in GitPython Vulnerability ID: GHSA-RPM5-65CW-6HJ4 CVSS Score: 8.8 Published: 2026-04-25 GitPython versions prior to 3.1.45 are vulnerable to a command injection flaw due to an architectural logic error in how keyword arguments are sanitized. The library attempts to block dangerous Git options like --upload-pack but performs this validation before applying Pythonic underscore-to-hyphen normalization. This allows attackers to bypass the blocklist using underscore-formatted arguments, leading to arbitrary command execution when the underlying Git binary is invoked. TL;DR GitPython < 3.1.45 fails to properly filter dangerous Git options when supplied via Python keyword arguments. Attackers can bypass security checks by using underscores instead of hyphens (e.g., upload_pack instead of upload-pack ), resulting in arbitrary remote code execution via the underlying Git executable.…