Dulwich CVE-2026-47712
LOWSeverity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from Vendor (https://github.com/jelmer/dulwich) · only source for this CVE.
CVSS VectorVendor: https://github.com/jelmer/dulwich
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Impact
dulwich.porcelain.format_patch(outdir=...) derives each patch filename from the commit's subject line. Prior to this fix, get_summary only replaced spaces with dashes - path separators (/, \), parent-directory components (..), and other filename-hostile characters (e.g. :) were preserved verbatim and passed straight into os.path.join(outdir, f"{i:04d}-{summary}.patch").
A malicious commit subject could therefore direct the generated patch file outside the requested outdir. Reduced examples:
- x/../../x produced <outdir>/0001-x/../../x.patch, resolving
two directories above outdir.
- x\..\..\x produced the equivalent escape on Windows, here \ is also a path separator.
Related issues from the same root cause:
- Subjects containing characters that are illegal in Windows filenames (e.g. :) caused format_patch to fail outright on Windows, where git would have succeeded.
- Very long subjects produced excessively long filenames that could exceed filesystem limits; git truncates them.
Anyone calling porcelain.format_patch (or the dulwich format-patch CLI) against untrusted commits - for example, a service that runs format-patch over user-supplied repositories or pull requests - could have patch files written to attacker-chosen locations within the process's write permissions.
Patches
Fixed in Dulwich 1.2.5. Users should upgrade.
dulwich.patch.get_summary now mirrors git's format_sanitized_subject: only [A-Za-z0-9._] are kept, runs of other characters collapse to a single -, consecutive . collapse to a single ., trailing ./- are stripped, and the result is length-limited. This makes the returned string safe to embed as a filename component, so format_patch can no longer be steered out of outdir via the commit subject.
Workarounds
Until upgrading, callers that pass untrusted commits to porcelain.format_patch can:
- Use stdout=True and write the patch to a destination they control, rather than letting format_patch choose the filename.
- Validate the chosen path before opening - e.g. compare os.path.realpath(returned_path) against os.path.realpath(outdir) and reject any patch whose resolved path is not inside outdir.
- Pre-screen commits and refuse to format any whose subject's first line contains /, \, .., or other characters that are not safe on the target filesystem.
Resources
- Fix commit: https://github.com/jelmer/dulwich/commit/c2446e51b
- Affected API: dulwich.porcelain.format_patch / dulwich format-patch
- Reference behavior: git's format_sanitized_subject in pretty.c
AnalysisAI
Path traversal in Dulwich's porcelain.format_patch function allows patch files to be written outside the intended output directory by processing commits with malicious subject lines. Any service passing untrusted commits to dulwich.porcelain.format_patch(outdir=...) - such as CI pipelines, PR review platforms, or developer tooling processing third-party repositories - is affected in versions 0.24.0 through 1.2.4. No public exploit identified at time of analysis and no CISA KEV listing, but the attack pattern is trivially reproducible from the advisory description alone; exploitation requires no special tooling beyond crafting a commit with a subject like 'x/../../target'.
Technical ContextAI
Dulwich is a pure-Python implementation of Git file formats and protocols, distributed as the pip package 'dulwich' (CPE: pkg:pip/dulwich). The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) in dulwich/patch.py's get_summary() function. Prior to the fix, get_summary() only substituted spaces with dashes before embedding the commit subject directly into os.path.join(outdir, f'{i:04d}-{summary}.patch'). This meant path separators ('/', '\'), parent-directory components ('..'), and Windows-illegal characters (e.g., ':') were passed verbatim. On POSIX systems, a subject like 'x/../../x' resolves two directories above outdir; on Windows, backslash variants achieve the same. The fix introduces _sanitize_subject_for_filename(), which mirrors git's format_sanitized_subject in pretty.c - retaining only [A-Za-z0-9._], collapsing runs of other characters to '-', collapsing consecutive dots, enforcing a length cap of 52 characters, and stripping trailing '.' and '-'.
RemediationAI
Vendor-released patch: Dulwich 1.2.5. Upgrade immediately via 'pip install dulwich>=1.2.5'. The fix commit is https://github.com/jelmer/dulwich/commit/c2446e51b and the advisory is at https://github.com/jelmer/dulwich/security/advisories/GHSA-555p-6grf-mh7f. If upgrading is not immediately possible, three targeted workarounds exist with different trade-offs. First, pass stdout=True to format_patch and handle file naming yourself - this eliminates the vulnerable filename derivation path entirely but requires callers to manage output file creation. Second, validate each returned path after the call using os.path.realpath(returned_path) vs. os.path.realpath(outdir) and reject any path not inside outdir - this is a safe catch-all but adds post-call I/O overhead and does not prevent the file from being momentarily created at the wrong location before rejection. Third, pre-screen commit subjects before calling format_patch and reject any subject containing '/', '\', '..', or other filesystem-hostile characters - effective but requires platform-aware validation logic and may miss edge cases on Windows where '\' is a path separator.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-555p-6grf-mh7f