AIKIDO-2026-11085
dulwich is vulnerable to Path Traversal
81
High Risk
This Affects:
dulwichTL;DR
Several dulwich work-tree update paths did not fully enforce core.protectNTFS and core.protectHFS, so a crafted branch merged or pulled via update_working_tree could still materialize NTFS-unsafe names such as git~2 even after the 1.2.5 hardening reached only checkout and reset. Untrusted patch headers processed by apply_patches (for example during git am) could also carry +++ or rename targets with .. or absolute paths that were joined onto the repository root and written outside the working tree. The fix derives the configured path validator for all work-tree updates, rejects out-of-tree patch targets, and adds defense-in-depth validation in checkout, restore, and reset_file.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
dulwich is vulnerable to Path Traversal in versions 1.2.0 - 1.2.5.
How to fix this
Upgrade the dulwich library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant