cbcvebase.

Dulwich Project Dulwich vulnerabilities

8 known vulnerabilities affecting dulwich_project/dulwich.

Total CVEs
8
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH3MEDIUM1LOW1

Vulnerabilities

Page 1 of 1
CVE-2014-9390P1CRITICALCVSS 9.8PoC≥ 0, < 0.10.1-12020-02-12
CVE-2014-9390 [CRITICAL] CVE-2014-9390: Git before 1 Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config
osv
CVE-2026-42305P3CRITICALCVSS 9.8≥ 0.10.0, < 1.2.52026-05-28
CVE-2026-42305 [CRITICAL] CWE-22 Dulwich has an arbitrary file write via NTFS-hostile tree entries on Windows Dulwich has an arbitrary file write via NTFS-hostile tree entries on Windows ## Impact Arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows. Dulwich's path-element validator accepted tree entries whose filenames contained bytes that Windows interprets as structural path syntax: - \ — the Windows path separator. A sin
ghsa
CVE-2017-16228P3CRITICALCVSS 9.8≤ 0.18.42017-10-29
CVE-2017-16228 [CRITICAL] CVE-2017-16228: Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.
ghsanvdosv
CVE-2014-9706P3HIGHCVSS 7.5≤ 0.9.82015-03-31
CVE-2014-9706 [HIGH] CWE-19 CVE-2014-9706: The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to ex The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.
ghsanvdosv
CVE-2026-42563P3HIGH≥ 0.24.0, < 1.2.52026-05-28
CVE-2026-42563 [HIGH] CWE-78 Dulwich Vulnerable to Command Injection via Merge Driver Path Dulwich Vulnerable to Command Injection via Merge Driver Path ## Summary Dulwich's `ProcessMergeDriver` substitutes the file path (from the git tree, controllable by an attacker via a malicious branch) into the merge driver command via the `%P` placeholder and executes it with `subprocess.run(..., shell=True)`. An attacker who can cause a victim to merge an untrusted branch can achieve arbitrary command
ghsa
CVE-2015-0838P3HIGHCVSS 7.5≤ 0.9.82015-03-31
CVE-2015-0838 [HIGH] CWE-119 CVE-2015-0838: Buffer overflow in the C implementation of the apply_delta function in _pack.c in Dulwich before 0.9 Buffer overflow in the C implementation of the apply_delta function in _pack.c in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a crafted pack file.
ghsanvdosv
CVE-2026-47734P4MEDIUM≥ 0.1.0, < 1.2.52026-06-08
CVE-2026-47734 [MEDIUM] CWE-400 Dulwich has unbounded memory allocation in receive-pack from crafted thin packs Dulwich has unbounded memory allocation in receive-pack from crafted thin packs ## Impact An uncontrolled-resource-consumption (memory exhaustion) denial-of-service vulnerability (CWE-400 / CWE-789). A client with push access could push a tiny crafted thin pack (~174 bytes) whose delta header declares a huge dest_size. When dulwich ingested it via add_thin_pack / apply_delta, it wou
ghsa
CVE-2026-47712P4LOW≥ 0.24.0, < 1.2.52026-06-08
CVE-2026-47712 [LOW] CWE-22 Dulwich doesn't sanitize commit subjects in `porcelain.format_patch` Dulwich doesn't sanitize commit subjects in `porcelain.format_patch` ### Impact dulwich.porcelain.format_patch(outdir=...) derives each patch filename from the commit's subject line. Prior to this fix, get_summary only replaced spaces with dashes - path separators (/, \), parent-directory components (..), and other filename-hostile characters (e.g. :) were preserved verbatim and passed straight int
ghsa
Dulwich Project Dulwich vulnerabilities | cvebase