Intel

AIKIDO-2026-39279

dulwich is vulnerable to Path Traversal

Path Traversal Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 1, 2026

53

Medium Risk

This Affects:

PYTHONdulwich
0.9.1 - 1.2.6
Fixed in 1.2.7
Are you affected? Scan for Free

TL;DR

dulwich resolves loose ref names into filesystem paths in DiskRefsContainer.refpath using os.path.join, but lookups like read_loose_ref and the git-upload-archive argument skip the ref-name validation applied on write paths. An untrusted name such as ../../secret therefore resolves outside the ref store and its first line is returned as the ref value, letting a client read files outside the repository ref store. The fix validates ref names with _check_refname before resolving them to a path and rejects traversing names.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you run a git server that resolves untrusted client-supplied ref names.

Background info

dulwich is vulnerable to Path Traversal in versions 0.9.1 - 1.2.6.

How to fix this

Upgrade the dulwich library to the patch version.