Skip to main content

Dulwich CVE-2026-47734

MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-06-08 https://github.com/jelmer/dulwich GHSA-xrvj-v92f-53gj
5.7
CVSS 3.1 · Vendor: https://github.com/jelmer/dulwich
Share

Severity by source

Vendor (https://github.com/jelmer/dulwich) PRIMARY
5.7 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
SUSE
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
6.5 MEDIUM
qualitative

Primary rating from Vendor (https://github.com/jelmer/dulwich).

CVSS VectorVendor: https://github.com/jelmer/dulwich

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 09, 2026 - 00:13 vuln.today
Analysis Generated
Jun 09, 2026 - 00:13 vuln.today

DescriptionCVE.org

Impact

An uncontrolled-resource-consumption (memory exhaustion) denial-of-service vulnerability (CWE-400 / CWE-789).

A client with push access could push a tiny crafted thin pack (~174 bytes) whose delta header declares a huge dest_size. When dulwich ingested it via add_thin_pack / apply_delta, it would allocate hundreds of MB of memory based on that attacker-controlled size, with no relationship to the actual bytes received.

Who is impacted: Operators running a Dulwich-based Git server that exposes git-receive-pack (i.e. accepts pushes) - for example via dulwich.server functionality, the HTTP smart server, or anything built on ReceivePackHandler.

Patches

Patched in 1.2.5.

add_thin_pack now accepts a max_input_size keyword (bytes; 0/None = unlimited, matching git's semantics), and ReceivePackHandler reads receive.maxInputSize from the repository config and passes it through. Wire reads are counted and a PackInputTooLarge exception is raised once the cap is exceeded - equivalent to git index-pack --max-input-size.

Users should upgrade to Dulwich 1.2.5 or later and set receive.maxInputSize in their server's repository config to a sane bound for their environment.

Workarounds

On unpatched versions, receive.maxInputSize has no effect, so it cannot be used as a workaround. Until upgrading, operators should:

  • Restrict dulwich-receive-pack (push) access to trusted, authenticated clients only, or disable it entirely on servers that only need to serve fetches.
  • Run the server under an OS-level memory limit (e.g. ulimit, cgroups/MemoryMax, or a container memory limit) so a malicious push is killed rather than taking down the host.

Resources

  • git's receive.maxInputSize / git index-pack --max-input-size documentation
  • Reported by Liyi, Ziyue, Strick, Maurice and Chenchen @ University of Sydney

AnalysisAI

Memory exhaustion denial-of-service in Dulwich's git-receive-pack handler allows any client with push access to crash the server by sending a ~174-byte crafted thin pack. The pack's delta header declares an arbitrarily large dest_size value, causing dulwich's add_thin_pack/apply_delta code to allocate hundreds of megabytes of memory with no relationship to the actual bytes received. No public exploit code and no CISA KEV listing exist at time of analysis; the CVSS 5.7 Medium score reflects the low-privilege network vector but is bounded by the requirement that the attacker hold push credentials.

Technical ContextAI

Dulwich (pkg:pip/dulwich) is a pure-Python implementation of the Git protocol and object model. The vulnerability resides in thin pack ingestion: a thin pack is a pack file where delta objects may reference base objects not included in the pack itself, which the receiver must resolve. During ingestion, dulwich's add_thin_pack calls apply_delta, which reads an attacker-controlled dest_size field from the delta header and immediately pre-allocates a byte buffer of that size - without first verifying that the declared size bears any relationship to the actual wire bytes present. CWE-400 (Uncontrolled Resource Consumption) and CWE-789 (Uncontrolled Memory Allocation) are both applicable root-cause classes. The ReceivePackHandler, used by dulwich.server, the HTTP smart server, and any custom code built on the handler, is the exposed entry point. The patch introduces a max_input_size parameter to add_thin_pack, reads receive.maxInputSize from repository config, counts wire bytes, and raises PackInputTooLarge once the cap is exceeded - mirroring the semantics of git index-pack --max-input-size.

RemediationAI

Upgrade to dulwich 1.2.5 or later; this is the vendor-confirmed fix per GHSA-xrvj-v92f-53gj. After upgrading, set receive.maxInputSize in the server repository's git config to a byte value appropriate for your largest legitimate push (e.g., receive.maxInputSize = 52428800 for 50 MB); leaving it unset or set to 0 restores unlimited behaviour matching git's semantics. For operators unable to upgrade immediately, the advisory explicitly states that receive.maxInputSize has no effect on unpatched versions and cannot be used as a workaround. Instead, restrict git-receive-pack (push) access to trusted, authenticated clients only - or disable push entirely on fetch-only servers - to remove untrusted actors from the attack surface. Additionally, run the dulwich server process under an OS-level memory ceiling using ulimit -v, cgroups MemoryMax, or a container memory limit so that a malicious push triggers an OOM kill of the process rather than exhausting host memory and destabilising other services. Note that process-kill mitigations do not prevent repeated DoS attempts and are only stopgaps until upgrade.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Module for Public Cloud 12 Affected
SUSE Linux Enterprise Server 12 Affected
SUSE Linux Enterprise Server for SAP Applications 12 Affected
SUSE Linux Enterprise High Performance Computing 12 Affected
SUSE Linux Enterprise Server 12 SP3 Affected

Share

CVE-2026-47734 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy