dulwich is vulnerable to Improper Link Resolution Before File Access
86
High Risk
Dulwich's path-restricted porcelain.checkout(paths=...) writes files with a raw os.open(file_path, O_WRONLY|O_CREAT|O_TRUNC, mode) call that bypasses build_file_from_blob and follows symlinks at both the target file and intermediate directories. A crafted repository can leave a symlink at a checkout target so that restoring a specific path writes attacker-controlled content, with attacker-controlled mode bits, outside the work tree such as into .git/hooks. Planting an executable hook this way leads to remote code execution on the next checkout. The fix routes these writes through build_file_from_blob, which replaces an existing symlink with a fresh regular file instead of writing through it.
You are affected if you are using a version that falls within the vulnerable range and use path-restricted porcelain.checkout(paths=...) on repositories from an untrusted source.
dulwich is vulnerable to Improper Link Resolution Before File Access in versions 0.24.0 - 1.2.7.
Upgrade the dulwich library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant