Description
Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, Dulwich's `ProcessMergeDriver` substitutes the file path (from the git tree, controllable by an attacker via a malicious branch) into the merge driver command via the `%P` placeholder and executes it with `subprocess.run(..., shell=True)`. An attacker who can cause a victim to merge an untrusted branch can achieve arbitrary command execution by crafting malicious file paths. Version 1.2.5 fixes the issue.
Published: 2026-06-10
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a command injection vulnerability in Dulwich’s ProcessMergeDriver. The merge driver substitutes a file path from the repository into a command string with a %P placeholder and runs it via subprocess.run with shell=True. By creating a branch that contains malicious file names, an attacker can influence a merge operation and trigger arbitrary code execution on the host performing the merge.

Affected Systems

Jelmer Dulwich, versions 0.24.0 through 1.2.4 inclusive. The fix is present in version 1.2.5 and later.

Risk and Exploitability

The CVSS v3 score of 7.7 indicates a high severity. Exploitation requires only that an attacker can cause the application to merge a malicious branch; no additional credentials or privileges are needed. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the lack of those metrics does not mitigate the risk. Successful exploitation results in remote code execution on the system that performs the merge.

Generated by OpenCVE AI on June 10, 2026 at 23:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dulwich to version 1.2.5 or newer to apply the vendor fix.
  • If an upgrade cannot be performed immediately, restrict merge operations to trusted branches or disable ProcessMergeDriver execution by adjusting the repository configuration.
  • Monitor application logs for suspicious subprocess.run calls generated by Dulwich to detect potential misuse.

Generated by OpenCVE AI on June 10, 2026 at 23:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9277-mp7x-85jf Dulwich Vulnerable to Command Injection via Merge Driver Path
History

Thu, 11 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Jelmer
Jelmer dulwich
Vendors & Products Jelmer
Jelmer dulwich

Wed, 10 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, Dulwich's `ProcessMergeDriver` substitutes the file path (from the git tree, controllable by an attacker via a malicious branch) into the merge driver command via the `%P` placeholder and executes it with `subprocess.run(..., shell=True)`. An attacker who can cause a victim to merge an untrusted branch can achieve arbitrary command execution by crafting malicious file paths. Version 1.2.5 fixes the issue.
Title Dulwich Vulnerable to Command Injection via Merge Driver Path
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T03:55:30.892Z

Reserved: 2026-04-28T17:26:12.083Z

Link: CVE-2026-42563

cve-icon Vulnrichment

Updated: 2026-06-11T13:38:01.767Z

cve-icon NVD

Status : Deferred

Published: 2026-06-10T23:16:46.413

Modified: 2026-06-11T15:21:07.370

Link: CVE-2026-42563

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T10:40:43Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')