CVE-2026-42284: GitPython: Unsafe option check validates multi_options before shlex.split transformation

April 25, 2026 (updated May 8, 2026)

_clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_options)). A string like "--branch main --config core.hooksPath=/x" passes validation (starts with --branch), but after split becomes ["--branch", "main", "--config", "core.hooksPath=/x"]. Git applies the config and executes attacker hooks during clone.

References

github.com/advisories/GHSA-x2qx-6953-8485
github.com/gitpython-developers/GitPython
github.com/gitpython-developers/GitPython/releases/tag/3.1.47
github.com/gitpython-developers/GitPython/security/advisories/GHSA-x2qx-6953-8485
nvd.nist.gov/vuln/detail/CVE-2026-42284

Code Behaviors & Features

Detect and mitigate CVE-2026-42284 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →