Skip to main content

Untrusted Search Path


Severity High
Score 7.8/10


GitPython is a python library used to interact with Git repositories. When resolving a program, Python/Windows looks for the current working directory, and after that the PATH environment. GitPython defaults to use the "git" command, if a user runs GitPython from a repo that has a "git.exe" or "git" executable, that program will be run instead of the one in the user's "PATH". This is more of a problem on how Python interacts with Windows systems, Linux and any other OS aren't affected by this. But probably people using GitPython usually run it from the CWD of a repo. An attacker can trick a user to download a repository with a malicious "git" executable, if the user runs/imports GitPython from that directory, it allows the attacker to run any arbitrary commands. There is no fix currently available for windows users, however there are a few mitigations. 1: Default to an absolute path for the git program on Windows, like "C:\\Program Files\\Git\\cmd\\git.EXE" (default git path installation). 2: Require users to set the "GIT_PYTHON_GIT_EXECUTABLE" environment variable on Windows systems. 3: Make this problem prominent in the documentation and advise users to never run GitPython from an untrusted repo, or set the "GIT_PYTHON_GIT_EXECUTABLE" env var to an absolute path. 4: Resolve the executable manually by only looking into the "PATH" environment variable. This vulnerability affects versions prior to 3.1.33.

  • LOW
  • HIGH
  • NONE
  • HIGH
  • HIGH

CWE-426 - Untrusted Search Path

The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control.

Advisory Timeline

  • Published