CVE-2026-42563

EUVD-2026-36175

10.06.2026, 23:16

Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, Dulwich's `ProcessMergeDriver` substitutes the file path (from the git tree, controllable by an attacker via a malicious branch) into the merge driver command via the `%P` placeholder and executes it with `subprocess.run(..., shell=True)`. An attacker who can cause a victim to merge an untrusted branch can achieve arbitrary command execution by crafting malicious file paths. Version 1.2.5 fixes the issue.

OS Command Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 24%

Debian Releases

Debian Product

Codename

dulwich

bookworm	vulnerable
bullseye	vulnerable
forky	vulnerable
sid	1.2.5-1 fixed
trixie	vulnerable

Common Weakness Enumeration

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References

https://github.com/jelmer/dulwich/commit/e3331b3b3a122fc313460182f928f59723580b7b

https://github.com/jelmer/dulwich/releases/tag/dulwich-1.2.5

https://github.com/jelmer/dulwich/security/advisories/GHSA-9277-mp7x-85jf

https://github.com/jelmer/dulwich/security/advisories/GHSA-9277-mp7x-85jf