Beware of Malicious Code Execution Risk When Using GitPython on Windows

CVECVE-2024-22190
CVSScvssV3_1: 7.8
SourceCVE-2024-22190

GitPython is a popular Python library used for interacting with Git repositories. However, a vulnerability was discovered that could allow malicious code execution on Windows systems.

The issue stems from GitPython’s use of untrusted paths when running Git commands or Bash scripts through the shell. On Windows, it fails to properly validate the location of git.exe or bash.exe before execution.

An attacker could potentially place a malicious version of these files in a Git repository that a user has access to. Then, if GitPython runs any Git commands or hook scripts through the shell, it could end up executing the attacker’s code instead of the expected benign files.

This poses a risk as the malicious code would run with the same privileges as the GitPython process. It could then infect the system or steal sensitive information.

The good news is that developers have issued a fix in version 3.1.41 of GitPython. All users are recommended to upgrade to the latest version as soon as possible to protect themselves against this threat. It’s also wise to use GitPython cautiously and avoid cloning untrusted repositories until the vulnerability is fully addressed.

Being aware of the risks and taking basic precautions like keeping your dependencies up-to-date are important steps for guarding against the growing threat of malicious open source code.

References