<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Dulwich - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/dulwich/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 28 May 2026 22:30:30 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/dulwich/feed.xml" rel="self" type="application/rss+xml"/><item><title>Dulwich Arbitrary File Write Vulnerability on Windows (CVE-2026-42305)</title><link>https://feed.craftedsignal.io/briefs/2026-05-dulwich-arbitrary-file-write/</link><pubDate>Thu, 28 May 2026 22:30:30 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-05-dulwich-arbitrary-file-write/</guid><description>Dulwich versions before 1.2.5 are vulnerable to an arbitrary file write leading to remote code execution on Windows systems when cloning or checking out a malicious Git repository due to improper path validation, as tracked by CVE-2026-42305.</description><content:encoded><![CDATA[<p>Dulwich versions before 1.2.5 are vulnerable to an arbitrary file write vulnerability (CVE-2026-42305) on Windows. The vulnerability occurs because Dulwich's path-element validator accepts tree entries with filenames containing bytes that Windows interprets as structural path syntax, such as backslashes (<code>\</code>), NTFS alternate-data-stream markers (<code>:</code>), and NTFS 8.3 short-name aliases (<code>git~&lt;digits&gt;</code>). This allows an attacker to craft malicious Git repositories that, when cloned or checked out on Windows, can write files to arbitrary locations, including inside the <code>.git</code> directory. If a file is planted as a Git hook (e.g., <code>.git\hooks\pre-commit.exe</code>), it can lead to remote code execution when a user commits changes. POSIX systems are not directly exploitable, but can propagate malicious trees to Windows.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious Git repository containing a tree entry with a filename including a backslash (e.g., <code>.git\hooks\pre-commit.exe</code>).</li>
<li>The attacker hosts the malicious Git repository on a publicly accessible server.</li>
<li>A victim user clones the malicious repository using Dulwich on a Windows system (e.g., using <code>dulwich.porcelain.clone</code>).</li>
<li>Dulwich's path-element validator incorrectly processes the backslash in the filename.</li>
<li>The malicious file is written to the <code>.git\hooks</code> directory within the victim's local repository, creating the directory structure <code>.git/hooks/pre-commit.exe</code>.</li>
<li>The victim user attempts to commit changes to the repository using Git.</li>
<li>Git executes the planted hook script (<code>.git/hooks/pre-commit.exe</code>).</li>
<li>The attacker achieves arbitrary code execution in the context of the victim user on the Windows system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an attacker to achieve arbitrary file write and remote code execution on vulnerable Windows systems. This can lead to complete system compromise, data theft, and further lateral movement within the victim's network. The scope of impact depends on the number of developers and systems using affected Dulwich versions and cloning untrusted repositories.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Dulwich to version 1.2.5 or later to patch CVE-2026-42305.</li>
<li>Deploy the Sigma rule &quot;Detect Dulwich Git Hook Write via Malicious Filename&quot; to detect attempts to write Git hooks with suspicious filenames.</li>
<li>Block the use of affected Dulwich versions in your environment until they are patched.</li>
<li>Audit existing Git repositories for malicious tree entries that may have been introduced through vulnerable Dulwich versions.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>arbitrary-file-write</category><category>remote-code-execution</category><category>git</category><category>dulwich</category></item><item><title>Dulwich Command Injection Vulnerability via Merge Driver</title><link>https://feed.craftedsignal.io/briefs/2026-05-dulwich-command-injection/</link><pubDate>Thu, 28 May 2026 22:30:17 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-05-dulwich-command-injection/</guid><description>Dulwich is vulnerable to command injection (CVE-2026-42563). By injecting malicious file paths through a crafted git tree, an attacker can achieve arbitrary command execution when a victim merges an untrusted branch because the `ProcessMergeDriver` substitutes the file path into the merge driver command via the `%P` placeholder and executes it with `subprocess.run(..., shell=True)`.</description><content:encoded><![CDATA[<p>Dulwich, a Python implementation of Git, is susceptible to a command injection vulnerability (CVE-2026-42563) affecting versions 0.24.0 to 1.2.5. An attacker can exploit this flaw by crafting malicious file paths within a Git tree, which are then injected into merge driver commands during a merge operation. The vulnerability resides in the <code>ProcessMergeDriver</code>, where the file path (controlled by the attacker via a malicious branch) is substituted into the merge driver command via the <code>%P</code> placeholder and executed using <code>subprocess.run(..., shell=True)</code>. This allows an attacker who can cause a victim to merge an untrusted branch to achieve arbitrary command execution. This issue is significant for environments where Dulwich is used to manage Git repositories and where merges from untrusted sources are performed, potentially leading to compromise of the system executing the merge.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker creates a malicious Git repository with a crafted branch.</li>
<li>The malicious branch contains a file with a specially crafted path designed for command injection.</li>
<li>The attacker induces a victim to merge the malicious branch into their repository.</li>
<li>During the merge process, Dulwich's <code>ProcessMergeDriver</code> is invoked for files with merge drivers configured.</li>
<li>The malicious file path is passed to the merge driver command via the <code>%P</code> placeholder.</li>
<li><code>subprocess.run(cmd, shell=True)</code> executes the crafted command, injecting shell commands from the malicious path.</li>
<li>Arbitrary commands are executed on the victim's system with the privileges of the user running the merge operation.</li>
<li>The attacker achieves arbitrary code execution, potentially leading to complete system compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows for arbitrary command execution on the affected system. This can lead to a complete compromise of the system, including data theft, modification, or destruction. The impact is especially severe if Dulwich is used in automated systems or environments where merges from untrusted sources are common. The vulnerability affects versions 0.24.0 to 1.2.5 of the <code>pip/dulwich</code> package. The number of potential victims is dependent on the number of deployments using the vulnerable versions of Dulwich that merge code from untrusted sources.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade to Dulwich version 1.2.5 or later to remediate CVE-2026-42563.</li>
<li>Deploy the Sigma rule &quot;Detect Dulwich Merge Driver Command Injection&quot; to identify exploitation attempts via malicious merge driver configurations and command execution.</li>
<li>Review custom merge driver configurations to ensure proper sanitization of file paths used in merge commands to mitigate similar command injection vulnerabilities.</li>
<li>Implement controls to validate the integrity and trustworthiness of Git repositories and branches before merging them into production environments to prevent malicious code injection.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>command injection</category><category>dulwich</category><category>git</category><category>cve-2026-42563</category></item></channel></rss>