{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dulwich/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*","cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*","cpe:2.3:a:microsoft:visual_studio_2017:*:*:*:*:*:*:*:*","cpe:2.3:a:microsoft:visual_studio_2019:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":9.8,"id":"CVE-2019-1353"},{"cvss":8.8,"id":"CVE-2019-1354"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["dulwich (\u003c 1.2.5)"],"_cs_severities":["high"],"_cs_tags":["arbitrary-file-write","remote-code-execution","git","dulwich"],"_cs_type":"advisory","_cs_vendors":["Dulwich"],"content_html":"\u003cp\u003eDulwich versions before 1.2.5 are vulnerable to an arbitrary file write vulnerability (CVE-2026-42305) on Windows. The vulnerability occurs because Dulwich's path-element validator accepts tree entries with filenames containing bytes that Windows interprets as structural path syntax, such as backslashes (\u003ccode\u003e\\\u003c/code\u003e), NTFS alternate-data-stream markers (\u003ccode\u003e:\u003c/code\u003e), and NTFS 8.3 short-name aliases (\u003ccode\u003egit~\u0026lt;digits\u0026gt;\u003c/code\u003e). This allows an attacker to craft malicious Git repositories that, when cloned or checked out on Windows, can write files to arbitrary locations, including inside the \u003ccode\u003e.git\u003c/code\u003e directory. If a file is planted as a Git hook (e.g., \u003ccode\u003e.git\\hooks\\pre-commit.exe\u003c/code\u003e), it can lead to remote code execution when a user commits changes. POSIX systems are not directly exploitable, but can propagate malicious trees to Windows.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Git repository containing a tree entry with a filename including a backslash (e.g., \u003ccode\u003e.git\\hooks\\pre-commit.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker hosts the malicious Git repository on a publicly accessible server.\u003c/li\u003e\n\u003cli\u003eA victim user clones the malicious repository using Dulwich on a Windows system (e.g., using \u003ccode\u003edulwich.porcelain.clone\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDulwich's path-element validator incorrectly processes the backslash in the filename.\u003c/li\u003e\n\u003cli\u003eThe malicious file is written to the \u003ccode\u003e.git\\hooks\u003c/code\u003e directory within the victim's local repository, creating the directory structure \u003ccode\u003e.git/hooks/pre-commit.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim user attempts to commit changes to the repository using Git.\u003c/li\u003e\n\u003cli\u003eGit executes the planted hook script (\u003ccode\u003e.git/hooks/pre-commit.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution in the context of the victim user on the Windows system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to achieve arbitrary file write and remote code execution on vulnerable Windows systems. This can lead to complete system compromise, data theft, and further lateral movement within the victim's network. The scope of impact depends on the number of developers and systems using affected Dulwich versions and cloning untrusted repositories.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Dulwich to version 1.2.5 or later to patch CVE-2026-42305.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Dulwich Git Hook Write via Malicious Filename\u0026quot; to detect attempts to write Git hooks with suspicious filenames.\u003c/li\u003e\n\u003cli\u003eBlock the use of affected Dulwich versions in your environment until they are patched.\u003c/li\u003e\n\u003cli\u003eAudit existing Git repositories for malicious tree entries that may have been introduced through vulnerable Dulwich versions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T22:30:30Z","date_published":"2026-05-28T22:30:30Z","id":"https://feed.craftedsignal.io/briefs/2026-05-dulwich-arbitrary-file-write/","summary":"Dulwich versions before 1.2.5 are vulnerable to an arbitrary file write leading to remote code execution on Windows systems when cloning or checking out a malicious Git repository due to improper path validation, as tracked by CVE-2026-42305.","title":"Dulwich Arbitrary File Write Vulnerability on Windows (CVE-2026-42305)","url":"https://feed.craftedsignal.io/briefs/2026-05-dulwich-arbitrary-file-write/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["dulwich (\u003e= 0.24.0, \u003c 1.2.5)"],"_cs_severities":["high"],"_cs_tags":["command injection","dulwich","git","cve-2026-42563"],"_cs_type":"threat","_cs_vendors":["dulwich"],"content_html":"\u003cp\u003eDulwich, a Python implementation of Git, is susceptible to a command injection vulnerability (CVE-2026-42563) affecting versions 0.24.0 to 1.2.5. An attacker can exploit this flaw by crafting malicious file paths within a Git tree, which are then injected into merge driver commands during a merge operation. The vulnerability resides in the \u003ccode\u003eProcessMergeDriver\u003c/code\u003e, where the file path (controlled by the attacker via a malicious branch) is substituted into the merge driver command via the \u003ccode\u003e%P\u003c/code\u003e placeholder and executed using \u003ccode\u003esubprocess.run(..., shell=True)\u003c/code\u003e. This allows an attacker who can cause a victim to merge an untrusted branch to achieve arbitrary command execution. This issue is significant for environments where Dulwich is used to manage Git repositories and where merges from untrusted sources are performed, potentially leading to compromise of the system executing the merge.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates a malicious Git repository with a crafted branch.\u003c/li\u003e\n\u003cli\u003eThe malicious branch contains a file with a specially crafted path designed for command injection.\u003c/li\u003e\n\u003cli\u003eThe attacker induces a victim to merge the malicious branch into their repository.\u003c/li\u003e\n\u003cli\u003eDuring the merge process, Dulwich's \u003ccode\u003eProcessMergeDriver\u003c/code\u003e is invoked for files with merge drivers configured.\u003c/li\u003e\n\u003cli\u003eThe malicious file path is passed to the merge driver command via the \u003ccode\u003e%P\u003c/code\u003e placeholder.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esubprocess.run(cmd, shell=True)\u003c/code\u003e executes the crafted command, injecting shell commands from the malicious path.\u003c/li\u003e\n\u003cli\u003eArbitrary commands are executed on the victim's system with the privileges of the user running the merge operation.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution, potentially leading to complete system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows for arbitrary command execution on the affected system. This can lead to a complete compromise of the system, including data theft, modification, or destruction. The impact is especially severe if Dulwich is used in automated systems or environments where merges from untrusted sources are common. The vulnerability affects versions 0.24.0 to 1.2.5 of the \u003ccode\u003epip/dulwich\u003c/code\u003e package. The number of potential victims is dependent on the number of deployments using the vulnerable versions of Dulwich that merge code from untrusted sources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Dulwich version 1.2.5 or later to remediate CVE-2026-42563.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Dulwich Merge Driver Command Injection\u0026quot; to identify exploitation attempts via malicious merge driver configurations and command execution.\u003c/li\u003e\n\u003cli\u003eReview custom merge driver configurations to ensure proper sanitization of file paths used in merge commands to mitigate similar command injection vulnerabilities.\u003c/li\u003e\n\u003cli\u003eImplement controls to validate the integrity and trustworthiness of Git repositories and branches before merging them into production environments to prevent malicious code injection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T22:30:17Z","date_published":"2026-05-28T22:30:17Z","id":"https://feed.craftedsignal.io/briefs/2026-05-dulwich-command-injection/","summary":"Dulwich is vulnerable to command injection (CVE-2026-42563). By injecting malicious file paths through a crafted git tree, an attacker can achieve arbitrary command execution when a victim merges an untrusted branch because the `ProcessMergeDriver` substitutes the file path into the merge driver command via the `%P` placeholder and executes it with `subprocess.run(..., shell=True)`.","title":"Dulwich Command Injection Vulnerability via Merge Driver","url":"https://feed.craftedsignal.io/briefs/2026-05-dulwich-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Dulwich","version":"https://jsonfeed.org/version/1.1"}