Login Sign Up

CVE-2024-22190

7.8 HIGH
Path Traversal

📋 TL;DR

GitPython versions before 3.1.41 on Windows are vulnerable to untrusted search path attacks when using shell execution for git commands or bash.exe for hooks. This allows attackers to execute malicious git.exe or bash.exe from untrusted repositories, potentially leading to arbitrary code execution. Users of GitPython on Windows who clone or interact with untrusted repositories are affected.

💻 Affected Systems

Products:
  • GitPython
Versions: All versions before 3.1.41
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows systems when GitPython uses shell execution for git commands or bash.exe for hooks. Linux/macOS systems are not vulnerable.

📦 What is this software?

Gitpython by Gitpython Project

View all CVEs affecting Gitpython →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the GitPython process, potentially leading to full system compromise.

🟠

Likely Case

Arbitrary code execution when processing malicious repositories, leading to data theft, lateral movement, or persistence.

🟢

If Mitigated

Limited impact if proper access controls, sandboxing, and repository vetting are in place.

🌐 Internet-Facing: MEDIUM - Requires user interaction with malicious repositories, but common in CI/CD pipelines and web services.
🏢 Internal Only: MEDIUM - Internal developers and automation tools may process untrusted code repositories.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires the victim to clone or interact with a malicious repository. The vulnerability is in the library's path resolution logic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.41

Vendor Advisory: https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx

Restart Required: No

Instructions:

1. Update GitPython to version 3.1.41 or later using pip: pip install --upgrade GitPython>=3.1.41
2. Verify the update with: pip show GitPython
3. No restart required, but restart any running applications using GitPython.

🔧 Temporary Workarounds

Avoid untrusted repositories

all

Only clone and interact with trusted Git repositories.

Use Linux/macOS for Git operations

all

Run GitPython on non-Windows operating systems where this vulnerability does not exist.

🧯 If You Can't Patch

  • Implement strict repository vetting processes and only allow trusted sources.
  • Run GitPython in sandboxed environments with limited privileges and network access.

🔍 How to Verify

Check if Vulnerable:

Check if GitPython version is below 3.1.41 on Windows systems using: pip show GitPython | findstr Version

Check Version:

pip show GitPython | findstr Version

Verify Fix Applied:

Confirm GitPython version is 3.1.41 or higher with: pip show GitPython | findstr Version

📡 Detection & Monitoring

Log Indicators:

  • Unusual git.exe or bash.exe execution from unexpected directories
  • GitPython errors related to path resolution

Network Indicators:

  • Git clone operations from untrusted or unknown repositories

SIEM Query:

Process creation where parent process is python.exe and command line contains git.exe or bash.exe from non-standard paths

📊 Metadata

CVE ID: CVE-2024-22190
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-426
Published: January 11, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22190, you might also want to check these:

CVE-2023-30330 9.8

SoftExpert Excellence Suite 2.x versions before 2.1.3 contain a Local File Inclusion vulnerability i...

Same vulnerability type (CWE-426)
CVE-2025-26155 9.8

This CVE describes an Untrusted Search Path vulnerability in NCP VPN clients that allows attackers t...

Same vulnerability type (CWE-426)
CVE-2022-26184 9.8

CVE-2022-26184 is an untrusted search path vulnerability in Poetry package manager versions 1.1.9 an...

Same vulnerability type (CWE-426)