CVE-2023-40590: GitPython Flaw Could Allow Attackers to Execute Arbitrary Code on Windows Systems

A security vulnerability has been found in GitPython, a Python library used to interact with Git repositories. The vulnerability tracked as CVE-2023-40590, could allow attackers to execute arbitrary code on Windows systems by tricking a user to run GitPython from a directory containing a malicious git executable.

Designed to facilitate easy interaction with Git repositories, the GitPython library is a treasure trove for developers. It offers the convenience of high-level operations akin to git-porcelain, and the nitty-gritty of low-level processes like git-plumbing. With GitPython, one can access repository data with ease and even delve deep into git repositories using either a Python-only approach or the more resource-greedy git command implementation.

Scoring a 7.8 on the CVSS, this vulnerability presents an untrusted search path issue on Windows systems. The crux of the problem? It can lead to arbitrary code execution.

When resolving a program, Python/Windows looks for the current working directory, and after that the PATH environment. GitPython defaults to using the git command, so if a user runs GitPython from a directory that contains a git.exe or git executable, that program will be run instead of the one in the user’s PATH.

An attacker could exploit this vulnerability by creating a malicious git executable and tricking a user to download it and run GitPython from the directory containing the malicious executable. Once GitPython is run, the malicious executable will be executed and the attacker will be able to execute arbitrary code on the user’s system.

The CVE-2023-40590 flaw predominantly affects Windows. Although Linux and other operating systems remain unaffected, the spotlight is on Windows because GitPython users frequently operate it from a repo’s Current Working Directory (CWD).

There are a few possible solutions to this vulnerability:

• Default to an absolute path for the git program on Windows. This would prevent GitPython from running a malicious executable if it is located in the current working directory.
• Require users to set the GIT_PYTHON_GIT_EXECUTABLE environment variable on Windows systems. This would allow users to specify the absolute path to the git executable that they want GitPython to use.
• Make this problem prominent in the documentation and advise users to never run GitPython from an untrusted repo, or set the GIT_PYTHON_GIT_EXECUTABLE env var to an absolute path. This would help to raise awareness of the vulnerability and help users to avoid running GitPython from untrusted sources.
• Resolve the executable manually by only looking into the PATH environment variable. This would prevent GitPython from running a malicious executable if it is located in the current working directory, but it would also make GitPython less efficient.