AIKIDO-2026-10910
dulwich is vulnerable to Improper Input Validation
75
High Risk
This Affects:
dulwichTL;DR
Dulwich accepted several unsafe forms of repository-controlled input when archiving trees and ingesting Git pack data. A malicious repository could cause dulwich.archive.tar_stream to emit unsafe tar member paths, including traversal, .git, backslash, or colon-containing names, and crafted pack bytes could bypass trailer or object validation or trigger malformed delta handling failures. Consumers extracting generated archives could write files outside the intended directory, while fetch or clone paths could corrupt local object stores or trigger expensive failures on later reads. The fix rejects unsafe archive paths, verifies pack trailers, validates object payloads during disk pack ingestion, and rejects malformed deltas with explicit errors.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
dulwich is vulnerable to Improper Input Validation in versions 0.0.1 - 1.2.2.
How to fix this
Upgrade the dulwich library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant