Kkkh1

**Name of the Vulnerable Software and Affected Versions** GitPython versions prior to 3.1.48 **Description** Insufficient validation of reference paths in reference creation, rename, and delete operations allows attackers to write, overwrite, move, or delete files outside the repository's `.git` directory. This path traversal issue occurs because reference paths are not consistently validated before filesystem operations, despite some validation existing for read operations. Specifically, the functions `SymbolicReference.create()`, `Reference.create()`, `SymbolicReference.set reference()`, `SymbolicReference.rename()`, and `SymbolicReference.delete()` construct filesystem paths from attacker-controlled reference names without enforcing repository boundaries. **Recommendations** Update to version 3.1.48 or later. As a temporary workaround, restrict or disable the use of `SymbolicReference.create()`, `Reference.create()`, `SymbolicReference.set reference()`, `SymbolicReference.rename()`, and `SymbolicReference.delete()` when processing user-controlled input.