dulwich is vulnerable to Path Traversal
88
High Risk
On Windows, Dulwich materializes checkout paths by joining tree entry names onto the work tree root with os.path.join. A tree entry whose leading component is a DOS drive-letter prefix such as C: is treated as an absolute path, so os.path.join discards the work tree root and writes to that drive path instead. Cloning, fetching, or checking out a crafted repository can therefore write untrusted file contents outside the work tree, including into locations that can lead to code execution. The fix rejects checkout paths whose leading component is a DOS drive-letter prefix.
You are affected if you are using a version that falls within the vulnerable range and you clone, fetch, or check out an untrusted repository with Dulwich on Windows.
dulwich is vulnerable to Path Traversal in versions 0.1.0 - 1.2.8.
Upgrade the dulwich library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant