Description
Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, Dulwich's `ProcessMergeDriver` substitutes the file path (from the git tree, controllable by an attacker via a malicious branch) into the merge driver command via the `%P` placeholder and executes it with `subprocess.run(..., shell=True)`. An attacker who can cause a victim to merge an untrusted branch can achieve arbitrary command execution by crafting malicious file paths. Version 1.2.5 fixes the issue.
Published: 2026-06-10
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a command injection vulnerability in Dulwich’s ProcessMergeDriver. The merge driver substitutes a file path from the repository into a command string with a %P placeholder and runs it via subprocess.run with shell=True. By creating a branch that contains malicious file names, an attacker can influence a merge operation and trigger arbitrary code execution on the host performing the merge.

Affected Systems

Jelmer Dulwich, versions 0.24.0 through 1.2.4 inclusive. The fix is present in version 1.2.5 and later.

Risk and Exploitability

The CVSS v3 score of 7.7 indicates a high severity. Exploitation requires only that an attacker can cause the application to merge a malicious branch; no additional credentials or privileges are needed. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the lack of those metrics does not mitigate the risk. Successful exploitation results in remote code execution on the system that performs the merge.

Generated by OpenCVE AI on June 10, 2026 at 23:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dulwich to version 1.2.5 or newer to apply the vendor fix.
  • If an upgrade cannot be performed immediately, restrict merge operations to trusted branches or disable ProcessMergeDriver execution by adjusting the repository configuration.
  • Monitor application logs for suspicious subprocess.run calls generated by Dulwich to detect potential misuse.

Generated by OpenCVE AI on June 10, 2026 at 23:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9277-mp7x-85jf Dulwich Vulnerable to Command Injection via Merge Driver Path
History

Wed, 10 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, Dulwich's `ProcessMergeDriver` substitutes the file path (from the git tree, controllable by an attacker via a malicious branch) into the merge driver command via the `%P` placeholder and executes it with `subprocess.run(..., shell=True)`. An attacker who can cause a victim to merge an untrusted branch can achieve arbitrary command execution by crafting malicious file paths. Version 1.2.5 fixes the issue.
Title Dulwich Vulnerable to Command Injection via Merge Driver Path
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T21:47:14.927Z

Reserved: 2026-04-28T17:26:12.083Z

Link: CVE-2026-42563

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T23:16:46.413

Modified: 2026-06-10T23:16:46.413

Link: CVE-2026-42563

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:30:44Z

Weaknesses