Intel

AIKIDO-2026-273570

dulwich is vulnerable to Path Traversal

Path TraversalGHSA-5fqc-mrg8-w798 Published 2 days ago

86

High Risk

This Affects:

PYTHONdulwich
0.23.1 - 1.2.7
Fixed in 1.2.8
Are you affected? Scan for Free

TL;DR

Dulwich's filter_branch.CommitFilter._apply_index_filter() builds a temporary index by materializing tree entries into the current working directory and its cleanup only removes the temporary index file, leaving materialized files including symlinks in place between commits. Because parent commits are processed recursively first, a symlink materialized from an ancestor commit can redirect a descendant commit's writes to arbitrary filesystem locations. A crafted repository processed with filter-branch --index-filter can therefore write attacker-controlled content outside the work tree, for example into .git/hooks, leading to remote code execution. The fix builds the temporary index in memory instead of materializing tree entries into the working directory.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and run filter-branch with an index filter on repositories from an untrusted source.

Background info

dulwich is vulnerable to Path Traversal in versions 0.23.1 - 1.2.7.

How to fix this

Upgrade the dulwich library to the patch version.