Intel

AIKIDO-2026-281672

dulwich is vulnerable to Denial of Service (DoS)

Denial of Service (DoS)GHSA-35mr-4567-66vg Published Yesterday

65

Medium Risk

This Affects:

PYTHONdulwich
0.0.1 - 1.2.8
Fixed in 1.2.9
Are you affected? Scan for Free

TL;DR

Dulwich parses packs and loose objects from repository data without bounding the work implied by attacker-controlled headers. zlib decompression of pack entries and loose objects is not capped against the declared inflated size, so a decompression-bomb object can exhaust process memory, and an OFS_DELTA pack entry whose delta_base_offset is zero references itself so Pack.resolve_object loops forever growing its delta stack until the process runs out of memory. Processing a crafted pack or loose object from an untrusted repository can therefore hang the process or exhaust memory. The fix caps zlib decompression at the declared size, plumbs a core.bigFileThreshold-based limit into loose-object parsing, and rejects OFS_DELTA entries whose base offset is zero.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application parses packs or loose objects from an untrusted repository, for example by cloning or fetching from an untrusted remote.

Background info

dulwich is vulnerable to Denial of Service (DoS) in versions 0.0.1 - 1.2.8.

How to fix this

Upgrade the dulwich library to the patch version.