CVE-2026-44244

Name of the Vulnerable Software and Affected Versions GitPython versions prior to 3.1.49

Description The set value() function in GitConfigParser passes values to Python's configparser without validating for newlines. Although the write() function converts embedded newlines into indented continuation lines, Git still accepts an indented [core] stanza as a section header. This allows an attacker to inject a core.hooksPath configuration, redirecting Git hook execution (such as commit, merge, or checkout) to a path controlled by the attacker. This results in persistent repository configuration poisoning, where scripts can be executed in the context of any user performing Git operations on the affected repository.

Recommendations Update to version 3.1.49. As a temporary workaround, restrict or sanitize any external input passed to the set value() function to ensure it does not contain carriage returns (CR), line feeds (LF), or NUL characters.