Daridor9

**Name of the Vulnerable Software and Affected Versions** GitPython versions prior to 3.1.49 **Description** The `set value()` function in `GitConfigParser` passes values to Python's `configparser` without validating for newlines. Although the ` write()` function converts embedded newlines into indented continuation lines, Git still accepts an indented `[core]` stanza as a section header. This allows an attacker to inject a `core.hooksPath` configuration, redirecting Git hook execution (such as commit, merge, or checkout) to a path controlled by the attacker. This results in persistent repository configuration poisoning, where scripts can be executed in the context of any user performing Git operations on the affected repository. **Recommendations** Update to version 3.1.49. As a temporary workaround, restrict or sanitize any external input passed to the `set value()` function to ensure it does not contain carriage returns (CR), line feeds (LF), or NUL characters.