GHSA-X2QX-6953-8485: GHSA-x2qx-6953-8485: Argument Injection via Insecure Transformation in GitPy…

📰

GHSA-X2QX-6953-8485: GHSA-x2qx-6953-8485: Argument Injection via Insecure Transformation in GitPython

DEV Community·CVE Reports·about 1 month ago

#security #cve #cybersecurity #ghsa #gitpython #argument

Reading 0:00

15s threshold

GHSA-x2qx-6953-8485: Argument Injection via Insecure Transformation in GitPython Vulnerability ID: GHSA-X2QX-6953-8485 CVSS Score: 8.8 Published: 2026-04-25 GitPython versions prior to 3.1.44 contain a high-severity vulnerability in the handling of the multi_options parameter during repository clone operations. An insecure string transformation bypasses initial input validation, allowing attackers to inject arbitrary arguments into the underlying Git command and achieve remote code execution. TL;DR Argument injection in GitPython's _clone() method allows arbitrary code execution. The flaw stems from validating a list of arguments, converting them to a single string, and re-parsing them with shlex.split() , which alters the argument structure and bypasses checks.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

GHSA-X2QX-6953-8485: GHSA-x2qx-6953-8485: Argument Injection via Insecure Transformation in GitPython