Skip to content
Threat Feed
high advisory

GitPython config_writer() Newline Injection Bypasses CVE-2026-42215 Patch

An incomplete patch for CVE-2026-42215 in GitPython allows newline injection in the section parameter of the config_writer() function, enabling arbitrary .git/config modification and remote code execution via core.hooksPath.

GitPython versions 3.1.49 and earlier are vulnerable to newline injection in the config_writer() function. The patch for CVE-2026-42215, intended to prevent arbitrary configuration modification and RCE, only validates the value parameter of the set_value() function, neglecting to validate the section and option parameters. This oversight allows an attacker to inject newline characters into the section parameter, enabling the writing of arbitrary section headers into the .git/config file. By forging a [core] section with a malicious hooksPath, attackers can achieve remote code execution when a git hook is triggered. This vulnerability allows a bypass of the intended protection provided by the CVE-2026-42215 patch and effectively re-introduces the original vulnerability.

Attack Chain

  1. Attacker gains control over a GitPython application or code that uses the config_writer() function.
  2. The attacker crafts a malicious section string containing newline characters (e.g., user]\n[core).
  3. The attacker calls config_writer().set_value() with the crafted section, the option set to hooksPath, and a value pointing to an attacker-controlled directory (e.g., /tmp/evil_hooks).
  4. The set_value() function writes the crafted section string (e.g., [user]\n[core]\n) into the .git/config file, creating a new [core] section or modifying an existing one.
  5. The hooksPath option within the injected [core] section is set to the attacker-controlled directory.
  6. The attacker places a malicious script (e.g., pre-commit) within the attacker-controlled directory and makes it executable.
  7. A git hook is triggered (e.g., by running git commit).
  8. The malicious script is executed, resulting in remote code execution.

Impact

Successful exploitation allows attackers to execute arbitrary code on the target system, potentially leading to full system compromise. The impact is similar to CVE-2026-42215. This bypass is particularly damaging as organizations may believe they are protected by patching to version 3.1.49, while they remain vulnerable. There is no information regarding the number of victims or specific sectors targeted, but any application using a vulnerable version of GitPython is at risk.

Recommendation

  • Apply input validation to the section and option parameters of the set_value() function in git/config.py to prevent newline injection.
  • Upgrade GitPython to a version beyond 3.1.49 if a new version addressing this bypass is released.
  • Monitor process creation events for execution of scripts from unusual or attacker-controlled directories defined in core.hooksPath, using a Sigma rule such as the one provided below.
  • Regularly audit .git/config files for unexpected or suspicious configurations, especially for modifications to core.hooksPath.
  • Deploy the Sigma rules in this brief to your SIEM and tune for your environment.

Detection coverage 2

Detect Git Hook Execution from Suspicious Path

high

Detects execution of git hooks from directories other than the standard .git/hooks directory, indicating potential exploitation of core.hooksPath injection vulnerabilities like CVE-2026-42215 bypass

sigma tactics: execution techniques: T1059.004 sources: process_creation, linux

Detect Git Config Modification with Suspicious Section Injection

medium

Detects modifications to the .git/config file that involve injecting new sections, potentially exploiting newline injection vulnerabilities.

sigma tactics: persistence techniques: T1546.003 sources: file_event, linux

Detection queries are available on the platform. Get full rules →