At time of writing, there is no direct solution, and specific steps are required to avoid exploitation in the wild.
Impact
An attacker can trick a user to download a repository with a malicious git executable, if the user runs/imports GitPython from that directory, it allows the attacker to run any arbitrary commands.
Possible solutions
Default to an absolute path for the git program on Windows, like C:\Program Files\Git\cmd\git.EXE (default git path installation). Require users to set the GIT_PYTHON_GIT_EXECUTABLE environment variable on Windows systems. Make this problem prominent in the documentation and advise users to never run GitPython from an untrusted repo, or set the GIT_PYTHON_GIT_EXECUTABLE env var to an absolute path. Resolve the executable manually by only looking into the PATH environment variable (suggested by @Byron)
At time of writing, there is no direct solution, and specific steps are required to avoid exploitation in the wild.
Impact
An attacker can trick a user to download a repository with a malicious git executable, if the user runs/imports GitPython from that directory, it allows the attacker to run any arbitrary commands.
Possible solutions
Default to an absolute path for the git program on Windows, like C:\Program Files\Git\cmd\git.EXE (default git path installation). Require users to set the GIT_PYTHON_GIT_EXECUTABLE environment variable on Windows systems. Make this problem prominent in the documentation and advise users to never run GitPython from an untrusted repo, or set the GIT_PYTHON_GIT_EXECUTABLE env var to an absolute path. Resolve the executable manually by only looking into the PATH environment variable (suggested by @Byron)