{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/gitpython--3.1.49/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-42215"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GitPython (\u003c= 3.1.49)"],"_cs_severities":["high"],"_cs_tags":["gitpython","newline-injection","rce","code-injection"],"_cs_type":"advisory","_cs_vendors":["gitpython"],"content_html":"\u003cp\u003eGitPython versions 3.1.49 and earlier are vulnerable to newline injection in the \u003ccode\u003econfig_writer()\u003c/code\u003e function. The patch for CVE-2026-42215, intended to prevent arbitrary configuration modification and RCE, only validates the \u003ccode\u003evalue\u003c/code\u003e parameter of the \u003ccode\u003eset_value()\u003c/code\u003e function, neglecting to validate the \u003ccode\u003esection\u003c/code\u003e and \u003ccode\u003eoption\u003c/code\u003e parameters. This oversight allows an attacker to inject newline characters into the \u003ccode\u003esection\u003c/code\u003e parameter, enabling the writing of arbitrary section headers into the \u003ccode\u003e.git/config\u003c/code\u003e file. By forging a \u003ccode\u003e[core]\u003c/code\u003e section with a malicious \u003ccode\u003ehooksPath\u003c/code\u003e, attackers can achieve remote code execution when a git hook is triggered. This vulnerability allows a bypass of the intended protection provided by the CVE-2026-42215 patch and effectively re-introduces the original vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains control over a GitPython application or code that uses the \u003ccode\u003econfig_writer()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003esection\u003c/code\u003e string containing newline characters (e.g., \u003ccode\u003euser]\\n[core\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker calls \u003ccode\u003econfig_writer().set_value()\u003c/code\u003e with the crafted \u003ccode\u003esection\u003c/code\u003e, the \u003ccode\u003eoption\u003c/code\u003e set to \u003ccode\u003ehooksPath\u003c/code\u003e, and a \u003ccode\u003evalue\u003c/code\u003e pointing to an attacker-controlled directory (e.g., \u003ccode\u003e/tmp/evil_hooks\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eset_value()\u003c/code\u003e function writes the crafted \u003ccode\u003esection\u003c/code\u003e string (e.g., \u003ccode\u003e[user]\\n[core]\\n\u003c/code\u003e) into the \u003ccode\u003e.git/config\u003c/code\u003e file, creating a new \u003ccode\u003e[core]\u003c/code\u003e section or modifying an existing one.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehooksPath\u003c/code\u003e option within the injected \u003ccode\u003e[core]\u003c/code\u003e section is set to the attacker-controlled directory.\u003c/li\u003e\n\u003cli\u003eThe attacker places a malicious script (e.g., \u003ccode\u003epre-commit\u003c/code\u003e) within the attacker-controlled directory and makes it executable.\u003c/li\u003e\n\u003cli\u003eA git hook is triggered (e.g., by running \u003ccode\u003egit commit\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe malicious script is executed, resulting in remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on the target system, potentially leading to full system compromise. The impact is similar to CVE-2026-42215. This bypass is particularly damaging as organizations may believe they are protected by patching to version 3.1.49, while they remain vulnerable. There is no information regarding the number of victims or specific sectors targeted, but any application using a vulnerable version of GitPython is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input validation to the \u003ccode\u003esection\u003c/code\u003e and \u003ccode\u003eoption\u003c/code\u003e parameters of the \u003ccode\u003eset_value()\u003c/code\u003e function in \u003ccode\u003egit/config.py\u003c/code\u003e to prevent newline injection.\u003c/li\u003e\n\u003cli\u003eUpgrade GitPython to a version beyond 3.1.49 if a new version addressing this bypass is released.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for execution of scripts from unusual or attacker-controlled directories defined in \u003ccode\u003ecore.hooksPath\u003c/code\u003e, using a Sigma rule such as the one provided below.\u003c/li\u003e\n\u003cli\u003eRegularly audit \u003ccode\u003e.git/config\u003c/code\u003e files for unexpected or suspicious configurations, especially for modifications to \u003ccode\u003ecore.hooksPath\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-08T23:19:02Z","date_published":"2026-05-08T23:19:02Z","id":"/briefs/2026-05-gitpython-newline-injection/","summary":"An incomplete patch for CVE-2026-42215 in GitPython allows newline injection in the section parameter of the config_writer() function, enabling arbitrary .git/config modification and remote code execution via core.hooksPath.","title":"GitPython config_writer() Newline Injection Bypasses CVE-2026-42215 Patch","url":"https://feed.craftedsignal.io/briefs/2026-05-gitpython-newline-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — GitPython (\u003c= 3.1.49)","version":"https://jsonfeed.org/version/1.1"}