dulwich is vulnerable to Denial of Service (DoS)
65
Medium Risk
Dulwich parses packs and loose objects from repository data without bounding the work implied by attacker-controlled headers. zlib decompression of pack entries and loose objects is not capped against the declared inflated size, so a decompression-bomb object can exhaust process memory, and an OFS_DELTA pack entry whose delta_base_offset is zero references itself so Pack.resolve_object loops forever growing its delta stack until the process runs out of memory. Processing a crafted pack or loose object from an untrusted repository can therefore hang the process or exhaust memory. The fix caps zlib decompression at the declared size, plumbs a core.bigFileThreshold-based limit into loose-object parsing, and rejects OFS_DELTA entries whose base offset is zero.
You are affected if you are using a version that falls within the vulnerable range and your application parses packs or loose objects from an untrusted repository, for example by cloning or fetching from an untrusted remote.
dulwich is vulnerable to Denial of Service (DoS) in versions 0.0.1 - 1.2.8.
Upgrade the dulwich library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant