CVE-2023-40590

CVE-2023-40590 is a high-severity security vulnerability in gitpython (pip), affecting versions <= 3.1.32. It is fixed in 3.1.33.

Summary

When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment (see big warning in https://docs.python.org/3/library/subprocess.html#popen-constructor). GitPython defaults to use the git command, if a user runs GitPython from a repo has a git.exe or git executable, that program will be run instead of the one in the user's PATH.

Details

This is more of a problem on how Python interacts with Windows systems, Linux and any other OS aren't affected by this. But probably people using GitPython usually run it from the CWD of a repo.

The execution of the git command happens in

https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/cmd.py#L277

https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/cmd.py#L983-L996

And there are other commands executed that should probably be aware of this problem.

PoC

On a Windows system, create a git.exe or git executable in any directory, and import or run GitPython from that directory

python -c "import git"

The git executable from the current directory will be run.

Possible solutions

  • Default to an absolute path for the git program on Windows, like C:\\Program Files\\Git\\cmd\\git.EXE (default git path installation).
  • Require users to set the GIT_PYTHON_GIT_EXECUTABLE environment variable on Windows systems.
  • Make this problem prominent in the documentation and advise users to never run GitPython from an untrusted repo, or set the GIT_PYTHON_GIT_EXECUTABLE env var to an absolute path.
  • Resolve the executable manually by only looking into the PATH environment variable (suggested by @Byron)

[!NOTE]
This vulnerability was reported via email, and it was decided to publish it here and make it public, so the community is aware of it, and a fix can be provided.

Impact

An attacker can trick a user to download a repository with a malicious git executable, if the user runs/imports GitPython from that directory, it allows the attacker to run any arbitrary commands.

CVE-2023-40590 has a CVSS score of 7.8 (High). The vector is requires local access, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (3.1.33); upgrading removes the vulnerable code path.

Affected versions

gitpython (<= 3.1.32)

Security releases

gitpython → 3.1.33 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade gitpython to 3.1.33 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2023-40590? CVE-2023-40590 is a high-severity security vulnerability in gitpython (pip), affecting versions <= 3.1.32. It is fixed in 3.1.33.
  2. How severe is CVE-2023-40590? CVE-2023-40590 has a CVSS score of 7.8 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of gitpython are affected by CVE-2023-40590? gitpython (pip) versions <= 3.1.32 is affected.
  4. Is there a fix for CVE-2023-40590? Yes. CVE-2023-40590 is fixed in 3.1.33. Upgrade to this version or later.
  5. Is CVE-2023-40590 exploitable, and should I be worried? Whether CVE-2023-40590 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2023-40590 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2023-40590? Upgrade gitpython to 3.1.33 or later.

Other vulnerabilities in gitpython

CVE-2026-44244CVE-2026-44243CVE-2026-42215CVE-2026-42284CVE-2024-22190

Stop the waste.
Protect your environment with Kodem.