Search before asking
Description
What happened
In dolphinscheduler/tools/release/requirements.txt, the current version constraint, GitPython~=3.1, allows installation of versions of GitPython that are affected by CVE-2026-44244 (GHSA-v87r-6q3f-2j67).
Vulnerability Details:
Advisory: GHSA-v87r-6q3f-2j67
CVE ID: CVE-2026-44244
Severity: High (CVSS 3.1 Base Score: 7.8)
Weakness: CWE-94 Improper Control of Generation of Code ('Code Injection')
Summary: Newline injection in config_writer().set_value() enables RCE via core.hooksPath.
Technical Description: GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. GitPython's own _write() converts embedded newlines into indented continuation lines (e.g. \n becomes \n\t), but Git still accepts an indented [core] stanza as a section header — so an injected core.hooksPath becomes effective configuration. Any subsequent Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path, leading to Remote Code Execution.
Vulnerable Version:
GitPython: All versions < 3.1.49 are affected by this vulnerability.
Patched Version:
What you expected to happen
Upgrade GitPython to 3.1.49 or later.
Are you willing to submit a PR?
Code of Conduct
Search before asking
Description
What happened
In dolphinscheduler/tools/release/requirements.txt, the current version constraint, GitPython~=3.1, allows installation of versions of GitPython that are affected by CVE-2026-44244 (GHSA-v87r-6q3f-2j67).
Vulnerability Details:
Advisory: GHSA-v87r-6q3f-2j67
CVE ID: CVE-2026-44244
Severity: High (CVSS 3.1 Base Score: 7.8)
Weakness: CWE-94 Improper Control of Generation of Code ('Code Injection')
Summary: Newline injection in config_writer().set_value() enables RCE via core.hooksPath.
Technical Description: GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. GitPython's own _write() converts embedded newlines into indented continuation lines (e.g. \n becomes \n\t), but Git still accepts an indented [core] stanza as a section header — so an injected core.hooksPath becomes effective configuration. Any subsequent Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path, leading to Remote Code Execution.
Vulnerable Version:
GitPython: All versions < 3.1.49 are affected by this vulnerability.
Patched Version:
What you expected to happen
Upgrade GitPython to 3.1.49 or later.
Are you willing to submit a PR?
Code of Conduct