HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-42563Published Modified CNA GitHub_M

CVE-2026-42563: Dulwich Vulnerable to Command Injection via Merge Driver Path

Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, Dulwich's `ProcessMergeDriver` substitutes the file path (from the git tree, controllable by an attacker via a malicious branch) into the merge driver command via the `%P` placeholder and executes it with `subprocess.run(..., shell=True)`. An attacker who can cause a victim to merge an untrusted branch can achieve arbitrary command execution by crafting malicious file paths. Version 1.2.5 fixes the issue.

Metrics

CVSS v4.0
7.7
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Command injection in Dulwich's ProcessMergeDriver allows an attacker to embed shell metacharacters in a Git tree file path, which is then substituted into a merge driver command and executed via subprocess.run with shell=True. The attack is delivered over the network (by hosting a malicious branch) and requires a victim to perform a merge operation, but no authentication is needed to publish the malicious branch. Successful exploitation gives the attacker arbitrary command execution in the context of the victim's process. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix version is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Dulwich directly. Any image containing a vulnerable version of Dulwich (>=0.24.0, <1.2.5) is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 7.7 HIGH and weights it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within the customer org based on image ownership and policy configuration.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version appears. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must serve a malicious Git branch reachable over the network so the victim can fetch and merge it.

  • AuthenticationNot required

    No authentication is required; any unauthenticated party can publish a malicious branch to a public or shared repository.

  • Victim interactionRequired

    A victim must actively perform a merge of the attacker-controlled branch, making this a social-engineering vector that requires convincing the developer to run the merge.

  • Attack complexityDetail

    Base exploit logic is straightforward and condition-free, though the CVSS v4 AT:P token indicates that specific deployment conditions (such as a merge driver being configured and active) must be present for the injection to trigger.

Blast Radius

  • Executes arbitrary shell commands in the context of the developer's user account or CI process performing the merge.
  • Reads files accessible to that process, including source code, credentials, and local secrets stored on the machine.
  • Writes or modifies files on the host filesystem, including altering repository contents or planting backdoors in the codebase.
  • Crashes or disrupts the affected merge process, blocking automated CI pipelines that invoke Dulwich-based merge drivers.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored continuously across all customer environments with images containing Dulwich in the affected range (>=0.24.0, <1.2.5). Because no upstream fix version exists yet, HarborGuard re-evaluates the advisory on every ingest cycle. The moment a fix is published, a patched-image rebuild becomes available; for customers with auto-remediation enabled, that triggers an automatic rebuild, regression test run, and a PR opened against affected workloads. In the interim, compensating controls worth considering include restricting merge driver configuration in repository-level .gitattributes files to trusted, hard-coded command paths, isolating CI environments that perform merges of untrusted branches behind strict network egress policies, and auditing any use of ProcessMergeDriver in pipeline images for exposure to externally sourced branches. Where compliance policy permits, HarborGuard can flag any newly pushed image that reintroduces a vulnerable Dulwich version before it reaches production.

See how HarborGuard automates this
Affected packages
  • jelmer / dulwich
    >= 0.24.0, < 1.2.5
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References