GitPython Reference APIs Path Traversal Vulnerability Enables Arbitrary File Deletion

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the GitPython package, specifically affecting versions <= 3.1.48. These vulnerabilities are categorized as path traversal and code injection issues, which can lead to arbitrary file write and delete operations as well as remote code execution. Business risk and impact are significant, as attackers with access to the affected application can potentially disrupt normal operations, steal sensitive data, or execute malicious code. This can result in loss of customer trust, financial losses, and reputational damage.[emaillocker id="1283"]

CVE-2026-44243 with a CVSS score of 7.8 – A path traversal vulnerability exists in GitPython, allowing attackers to write, overwrite, move, or delete files outside the repository's .git directory via insufficient validation of reference paths in reference creation, rename, and delete operations.

CVE-2026-44244 with a CVSS score of 7.8 – GitPython's config_writer() .set_value() function fails to validate for newlines, enabling remote code execution via newline injection in core.hooksPath.

Business risk and impact are significant, as attackers with access to the affected application can potentially disrupt normal operations, steal sensitive data, or execute malicious code. This can result in loss of customer trust, financial losses, and reputational damage.

RECOMMENDATION:

We recommend you to update GitPython to version 3.1.49.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-7545-fcxq-7j24
https://github.com/advisories/GHSA-v87r-6q3f-2j67