dulwich is vulnerable to Path Traversal
86
High Risk
Dulwich's filter_branch.CommitFilter._apply_index_filter() builds a temporary index by materializing tree entries into the current working directory and its cleanup only removes the temporary index file, leaving materialized files including symlinks in place between commits. Because parent commits are processed recursively first, a symlink materialized from an ancestor commit can redirect a descendant commit's writes to arbitrary filesystem locations. A crafted repository processed with filter-branch --index-filter can therefore write attacker-controlled content outside the work tree, for example into .git/hooks, leading to remote code execution. The fix builds the temporary index in memory instead of materializing tree entries into the working directory.
You are affected if you are using a version that falls within the vulnerable range and run filter-branch with an index filter on repositories from an untrusted source.
dulwich is vulnerable to Path Traversal in versions 0.23.1 - 1.2.7.
Upgrade the dulwich library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant