VYPR

PyPI package

dulwich

pkg:pypi/dulwich

Vulnerabilities (7)

  • CVE-2026-47734MedJun 10, 2026
    affected >= 0.1.0, < 1.2.5fixed 1.2.5

    Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.1.0 and prior to version 1.2.5, a client with push access could push a tiny crafted thin pack (~174 bytes) whose delta header declares a huge dest_size. When dulwich ingested i

  • CVE-2026-47712LowJun 10, 2026
    affected >= 0.24.0, < 1.2.5fixed 1.2.5

    Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, dulwich.porcelain.format_patch(outdir=...) derives each patch filename from the commit's subject line. Prior to this fix, get_summary only replace

  • CVE-2026-42563HigJun 10, 2026
    affected >= 0.24.0, < 1.2.5fixed 1.2.5

    Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, Dulwich's `ProcessMergeDriver` substitutes the file path (from the git tree, controllable by an attacker via a malicious branch) into the merge dr

  • CVE-2026-42305HigJun 10, 2026
    affected >= 0.10.0, < 1.2.5fixed 1.2.5

    Dulwich is a pure-Python implementation of the Git file formats and protocols. Versions starting with 0.10.0 and prior to 1.2.5 have an arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows. Dulwich's path-element

  • CVE-2017-16228CriOct 29, 2017
    affected < 0.18.5fixed 0.18.5

    Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.

  • CVE-2015-0838Mar 31, 2015
    affected < 0.9.9fixed 0.9.9

    Buffer overflow in the C implementation of the apply_delta function in _pack.c in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a crafted pack file.

  • CVE-2014-9706Mar 31, 2015
    affected < 0.9.10fixed 0.9.10

    The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.