Intel

AIKIDO-2026-762440

dulwich is vulnerable to Path Traversal

Path TraversalGHSA-8mcx-5rqc-vhmf Published Yesterday

88

High Risk

This Affects:

PYTHONdulwich
0.1.0 - 1.2.8
Fixed in 1.2.9
Are you affected? Scan for Free

TL;DR

On Windows, Dulwich materializes checkout paths by joining tree entry names onto the work tree root with os.path.join. A tree entry whose leading component is a DOS drive-letter prefix such as C: is treated as an absolute path, so os.path.join discards the work tree root and writes to that drive path instead. Cloning, fetching, or checking out a crafted repository can therefore write untrusted file contents outside the work tree, including into locations that can lead to code execution. The fix rejects checkout paths whose leading component is a DOS drive-letter prefix.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you clone, fetch, or check out an untrusted repository with Dulwich on Windows.

Background info

dulwich is vulnerable to Path Traversal in versions 0.1.0 - 1.2.8.

How to fix this

Upgrade the dulwich library to the patch version.