CVE-2023-40590 – GitPython on Windows systems can execute malici... (How to Fix)

Q: What is the severity of CVE-2023-40590?

CVE-2023-40590 has a CVSS score of 7.8 (HIGH). GitPython on Windows systems can execute malicious git binaries from the current working directory instead of the system PATH, allowing arbitrary command execution. This affects Windows users who run GitPython from untrusted repositories. Linux and other OS are not vulnerable.

📋 TL;DR

GitPython on Windows systems can execute malicious git binaries from the current working directory instead of the system PATH, allowing arbitrary command execution. This affects Windows users who run GitPython from untrusted repositories. Linux and other OS are not vulnerable.

💻 Affected Systems

Products:

GitPython

Versions: All versions up to and including 3.1.32

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows due to how Python/Windows resolves executables. Linux/macOS unaffected.

📦 What is this software?

Gitpython by Gitpython Project

View all CVEs affecting Gitpython →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary command execution with user privileges, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Local privilege escalation or execution of malicious scripts when users run GitPython from untrusted repositories containing malicious git executables.

🟢

If Mitigated

No impact if proper mitigations are implemented, such as setting GIT_PYTHON_GIT_EXECUTABLE environment variable or avoiding untrusted repositories.

🌐 Internet-Facing: LOW - This requires local execution or user interaction with untrusted repositories.

🏢 Internal Only: MEDIUM - Internal developers or automated systems using GitPython on Windows could be targeted via malicious repositories.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user to run GitPython from a directory containing malicious git executable. Social engineering or supply chain attacks could deliver such repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None available

Vendor Advisory: https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-wfm5-v35h-vwf4

Restart Required: No

Instructions:

No official patch available. Apply workarounds and mitigations instead.

🔧 Temporary Workarounds

Set GIT_PYTHON_GIT_EXECUTABLE environment variable

windows

Force GitPython to use a specific git executable path instead of searching current directory

setx GIT_PYTHON_GIT_EXECUTABLE "C:\Program Files\Git\cmd\git.EXE"

Use absolute git path in code

windows

Explicitly set git executable path in Python code

import git
repo = git.Repo('.', git_executable='C:\\Program Files\\Git\\cmd\\git.EXE')

🧯 If You Can't Patch

Never run GitPython from untrusted repositories or directories
Implement strict access controls on repository sources and verify repository integrity

🔍 How to Verify

Check if Vulnerable:

Check if using GitPython on Windows without GIT_PYTHON_GIT_EXECUTABLE environment variable set

Check Version:

pip show GitPython | findstr Version

Verify Fix Applied:

Verify GIT_PYTHON_GIT_EXECUTABLE is set to absolute path and test with malicious git.exe in CWD

📡 Detection & Monitoring

Log Indicators:

Unexpected git.exe execution from non-standard paths
GitPython processes spawning from user directories

Network Indicators:

Unusual outbound connections from git processes

SIEM Query:

Process creation where (Image contains 'git.exe' AND NOT (Image contains 'Program Files\\Git')) OR (ParentImage contains 'python.exe' AND CommandLine contains 'git')

📊 Metadata

CVE ID: CVE-2023-40590

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-426

Published: August 28, 2023

Last Updated: November 21, 2024

🔗 References

https://docs.python.org/3/library/subprocess.html#popen-constructor Product
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-wfm5-v35h-vwf4 Exploit,Mitigation,Vendor Advisory
https://docs.python.org/3/library/subprocess.html#popen-constructor Product
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-wfm5-v35h-vwf4 Exploit,Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-40590, you might also want to check these: