Listen to this Post
CVE ID: CVE-2026-47712
Intro:
The `dulwich.porcelain.format_patch(outdir=…)` function in Dulwich prior to version 1.2.5 was vulnerable to a path traversal attack due to improper sanitization of commit subject lines when generating patch filenames.
This function creates a patch file by joining the specified output directory with a filename constructed from the commit’s index and a “sanitized” version of its subject line: os.path.join(outdir, f"{i:04d}-{summary}.patch").
The underlying `get_summary` helper performed only basic sanitization, replacing spaces with dashes. It did not filter or encode path separators (such as `/` or \), parent-directory traversal sequences (..), or other characters harmful in a filesystem context (e.g., :). These characters were passed directly into the final file path.
An attacker who controls a Git repository could craft a commit with a malicious subject line. For example, a subject containing `../` could allow a generated patch to be written outside of the intended output directory. On Windows, backslashes (\) in the subject line acted as path separators, enabling similar directory traversal attacks.
This vulnerability also caused other issues. Commit subjects containing characters illegal in Windows filenames (like :) would cause `format_patch` to fail, whereas Git would handle them successfully. Additionally, extremely long commit subjects could generate filenames that exceed filesystem path length limits.
The primary risk is for any application or service that uses `porcelain.format_patch` (or the `dulwich format-patch` CLI command) to process patches from untrusted Git repositories or commits. This includes automated code review systems, patch management tools, or any service that generates patches from user-provided repositories. In such cases, a malicious actor could write patch files to arbitrary locations on the server, limited only by the process’s write permissions.
DailyCVE Form:
Platform: Dulwich (Python)
Version: < 1.2.5
Vulnerability: Path Traversal
Severity: Low (CVSS 3.3)
date: May 28, 2026
Prediction: May 28, 2026
What Undercode Say:
Check vulnerable version
pip show dulwich | grep Version
Test with malicious commit
git commit -m "x/../../x" --allow-empty
dulwich format-patch -o patches HEAD~1
Validate resolved path
python -c "import os; print(os.path.realpath('patches/0001-x/../../x.patch'))"
Exploit:
Exploitation requires a malicious Git repository. An attacker crafts a commit with a subject containing path traversal sequences (e.g., `../../` or ..\..\). When a vulnerable service runs `format_patch` on this commit, the generated patch file can be written outside the intended output directory, potentially overwriting critical files.
Protection:
Upgrade to Dulwich version 1.2.5 or later. In this fixed version, the `get_summary` function implements Git’s `format_sanitized_subject` logic: it retains only alphanumeric characters, dots, and underscores; collapses runs of other characters and consecutive dots; strips trailing dots and slashes; and limits the final length. This ensures the generated string is safe for use as a filename component.
Impact:
Arbitrary file write within the process’s permissions, leading to path traversal.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
