Attack Chain

1. An attacker crafts a malicious input string containing a newline character followed by a [core] section and hooksPath setting.
2. The malicious string is passed as either the author_name or author_email parameter to an application using GitPython.
3. The application calls config_writer().set_value() with the attacker-controlled input, writing the malicious configuration to the .git/config file.
4. GitPython converts the embedded newline into an indented continuation line but still writes it to the config.
5. Git interprets the injected [core] stanza as a valid section header, thus setting the core.hooksPath to the attacker-specified path.
6. A Git operation that invokes hooks (e.g., commit, merge, checkout) is triggered.
7. Git executes the scripts located in the attacker-controlled hooksPath.
8. The attacker gains arbitrary code execution on the system.

Impact

Successful exploitation leads to persistent repository configuration poisoning. In multi-user environments, one user can poison a shared repository’s .git/config, causing the attacker’s hooks to run during subsequent Git operations by other users. The impact on single-user deployments depends on whether the application automatically invokes Git hooks. This vulnerability, now identified as CVE-2026-44244, can lead to privilege escalation and arbitrary code execution.

Recommendation

• Deploy the Sigma rule Detect Git config hooksPath modification to identify attempts to modify the core.hooksPath setting in the .git/config file.
• Audit all calls to config_writer().set_value() in your codebase, especially where user-supplied input is used, as suggested in the overview.
• Upgrade to a patched version of GitPython that raises an error on CR, LF, or NUL in config values, as described in the remediation section.
• Monitor process creation events for the execution of scripts from unusual or unexpected paths specified in the core.hooksPath using the rule Suspicious Git Hook Execution.