{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/gitpython--3.1.47/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GitPython (\u003c= 3.1.47)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","file-manipulation","gitpython"],"_cs_type":"advisory","_cs_vendors":["pip"],"content_html":"\u003cp\u003eA path traversal vulnerability exists in GitPython versions 3.1.46 and earlier. This vulnerability allows an attacker who can control the reference path supplied to a GitPython application to perform arbitrary file system operations outside the intended Git repository\u0026rsquo;s \u003ccode\u003e.git\u003c/code\u003e directory. The flaw stems from insufficient validation of reference paths during creation, renaming, and deletion operations. This can lead to the creation, overwriting, moving, or deletion of files, potentially compromising the application\u0026rsquo;s integrity and availability. Applications that expose GitPython reference operations to user-controlled input are particularly vulnerable. This vulnerability was disclosed on 2026-05-06.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an application utilizing GitPython that exposes reference operations to user-controlled input.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious reference path containing path traversal sequences like \u003ccode\u003e../\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker supplies the crafted reference path to the vulnerable GitPython API, such as \u003ccode\u003eReference.create\u003c/code\u003e or \u003ccode\u003eSymbolicReference.delete\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eGitPython\u0026rsquo;s API fails to adequately validate the reference path before constructing the file system path.\u003c/li\u003e\n\u003cli\u003eThe GitPython API uses the attacker-controlled path to interact with the file system outside the repository\u0026rsquo;s \u003ccode\u003e.git\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe attacker can now write arbitrary data to, overwrite existing data in, or delete files outside the Git repository, based on the initial API call.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the arbitrary file write/delete capabilities to corrupt application state, modify configuration files, or cause a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to several detrimental outcomes. An attacker could create or overwrite files outside the repository metadata directory, delete attacker-chosen files reachable from the process permissions, corrupt application state or configuration files, or cause a denial of service by deleting or overwriting critical files. This is especially concerning for applications like Git automation services, repository management backends, CI/CD helpers, and developer platforms. Multi-user environments where one user can influence ref names processed on behalf of another workflow are also at high risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade GitPython to version 3.1.47 or later to incorporate the fix for CVE-2026-44243.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on all user-supplied reference paths before passing them to GitPython APIs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect GitPython Path Traversal File Creation\u003c/code\u003e to identify attempts to create files outside the repository directory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect GitPython Path Traversal File Deletion\u003c/code\u003e to identify attempts to delete files outside the repository directory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-08T12:00:00Z","date_published":"2024-01-08T12:00:00Z","id":"/briefs/2024-01-gitpython-path-traversal/","summary":"A path traversal vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository’s .git directory via insufficient validation of reference paths in reference creation, rename, and delete operations.","title":"GitPython Path Traversal Vulnerability Allows Arbitrary File Manipulation","url":"https://feed.craftedsignal.io/briefs/2024-01-gitpython-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — GitPython (\u003c= 3.1.47)","version":"https://jsonfeed.org/version/1.1"}