Dulwich CVE-2026-42563
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Delivered via network-reachable Git branch (AV:N); requires non-default %P merge driver config (AC:H); attacker needs no privileges (PR:N); victim must perform the merge (UI:R); shell RCE yields full C/I/A:H.
Primary rating from Vendor (https://github.com/jelmer/dulwich).
CVSS VectorVendor: https://github.com/jelmer/dulwich
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Summary
Dulwich's ProcessMergeDriver substitutes the file path (from the git tree, controllable by an attacker via a malicious branch) into the merge driver command via the %P placeholder and executes it with subprocess.run(..., shell=True). An attacker who can cause a victim to merge an untrusted branch can achieve arbitrary command execution by crafting malicious file paths.
Description
- Type: Command Injection
- Source:
merge.pyline 195 - path from merge tree (from repository content when merging untrusted branch) - Sink:
merge_drivers.pylines 124-127 -subprocess.run(cmd, shell=True)wherecmdincludes path via%Pplaceholder - Impact: Arbitrary code execution when merging from a malicious repository. Requires the user to have a merge driver configured that uses the
%Pplaceholder.
Resources
- Repository: https://github.com/dulwich/dulwich
- Vulnerable file:
dulwich/merge_drivers.py(lines 119-129)
Proof of Concept
from dulwich.attrs import GitAttributes, Pattern
from dulwich.config import ConfigDict
from dulwich.merge import merge_blobs
from dulwich.objects import Blob
# Merge driver with %P (path) - typical for custom merge tools
config = ConfigDict()
config.set((b"merge", b"injectable"), b"driver", b"echo %P > %A")
patterns = [(Pattern(b"*"), {b"merge": b"injectable"})]
gitattributes = GitAttributes(patterns)
base = Blob.from_string(b"base")
ours = Blob.from_string(b"ours")
theirs = Blob.from_string(b"theirs")
# Malicious path from attacker-controlled git tree: injects "touch /tmp/pwned"
malicious_path = b"x; touch /tmp/pwned #"
merge_blobs(base, ours, theirs, path=malicious_path,
gitattributes=gitattributes, config=config)
# => Executes: echo x; touch /tmp/pwned
#
# => Shell runs: echo x, then touch /tmp/pwnedFix
AnalysisAI
Command injection in Dulwich (pure-Python Git implementation) versions >= 0.24.0 and < 1.2.5 allows remote attackers to execute arbitrary OS commands when a victim merges an attacker-controlled branch and has a custom merge driver configured that references the %P placeholder. The ProcessMergeDriver passes attacker-controlled file paths from the git tree into subprocess.run with shell=True, so a path like 'x; touch /tmp/pwned #' is interpreted as a shell metacharacter sequence. Publicly available exploit code exists (working POC in the GitHub Security Advisory GHSA-9277-mp7x-85jf); no public exploit in CISA KEV at time of analysis.
Technical ContextAI
Dulwich is a pure-Python implementation of the Git file formats and protocols, widely embedded in development tooling, build systems and Git hosting code. The flaw is a classic CWE-78 OS command injection in dulwich/merge_drivers.py (lines 119-129): the ProcessMergeDriver builds a shell command by string-substituting the file's repository path into the %P placeholder of the configured merge.<driver>.driver command, then runs it via subprocess.run(cmd, shell=True). Because the path originates from the merge tree (merge.py line 195) and Git tree entry names are not constrained to shell-safe characters, an attacker who controls a branch can choose a path that contains shell metacharacters such as ';', '|' or backticks, which the shell then interprets as additional commands. The fix shell-quotes substituted values before invoking the shell.
RemediationAI
Vendor-released patch: upgrade Dulwich to version 1.2.5 or later (pip install --upgrade 'dulwich>=1.2.5'), which shell-quotes values substituted into ProcessMergeDriver commands per the security release notes at https://github.com/jelmer/dulwich/releases/tag/dulwich-1.2.5 and the advisory at https://github.com/jelmer/dulwich/security/advisories/GHSA-9277-mp7x-85jf. If immediate upgrade is not possible, remove any merge driver configuration that uses the %P placeholder from .gitattributes and .git/config (and from any system or global Git config consumed by Dulwich) - the side effect is loss of custom merge-driver behavior for the affected file patterns, falling back to the default three-way merge. As an operational compensating control, avoid merging branches from untrusted remotes through Dulwich-based tooling (including automated bots and CI pipelines that fetch arbitrary fork branches) until the upgrade is rolled out; the trade-off is reduced automation throughput for fork/PR workflows.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allVendor StatusVendor
SUSE
| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-9277-mp7x-85jf