Dulwich Windows Git Path Flaw Enables Arbitrary File Write and RCE
A high-severity flaw in Dulwich tracked as CVE-2026-42305 allows arbitrary file write and potential remote code execution on Windows when a user clones, fetches, or checks out a malicious Git repository. The bug affects versions 0.10.0 through 1.2.4 and stems from improper validation of tree entry names that Windows interprets as path syntax, including backslashes, NTFS alternate data stream markers, and NTFS 8.3 short-name aliases tied to .git. A crafted repository can write files outside the work tree or place executable content such as .git\hooks\pre-commit.exe inside the victim’s Git metadata, which Git for Windows may later execute in the user’s context.
The project released Dulwich 1.2.5 to fix the issue, correcting mishandled core.protectNTFS and core.protectHFS configuration names, enabling core.protectNTFS by default on all platforms, and tightening checks to block dangerous names including reserved Windows devices like CON, NUL, COM1, and LPT1. Release notes say the update also addresses other security bugs, including unsafe submodule path handling, shell command injection in ProcessMergeDriver, unsafe patch filename generation, and improper receive.maxInputSize enforcement. Maintainers said there is no effective workaround short of upgrading, and warned that even POSIX users can unknowingly propagate malicious trees to Windows users through pushes or republished repositories.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-42305 entry published for Dulwich vulnerability
On 2026-06-10, CVE-2026-42305 was published describing the Dulwich Windows arbitrary file write vulnerability affecting versions before 1.2.5. The entry noted there was no effective pre-patch workaround and advised users to upgrade.
Dulwich publishes advisory for Windows arbitrary file write flaw
On 2026-05-28, a GitHub security advisory disclosed a vulnerability in Dulwich versions 0.10.0 through 1.2.4 that can allow arbitrary file write and possible remote code execution on Windows when cloning, fetching, or checking out a malicious repository. The advisory said version 1.2.5 fixes the issue by correcting configuration handling, enabling core.protectNTFS by default, and tightening NTFS path validation.
Dulwich releases security update version 1.2.5
Dulwich released version 1.2.5 as a security update on 2026-05-28 and urged users to upgrade. The release fixes multiple vulnerabilities, including the Windows NTFS-hostile tree entry flaw later tracked as CVE-2026-42305.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
CVE-2026-42305 - Dulwich has an arbitrary file write via NTFS-hostile tree entries on Windows
cvefeed.io
Open sourceArbitrary file write via NTFS-hostile tree entries on Windows · Advisory · jelmer/dulwich · GitHub
github.com
Open sourceRelease dulwich 1.2.5 · jelmer/dulwich · GitHub
github.com
Open sourceAdd NEWS entry for CVE-2026-42305 · jelmer/dulwich@49eb56e · GitHub
github.com
Open sourceMerge branch 'advisory-1' · jelmer/dulwich@57efc4a · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Git Carriage Return Flaw Enables Code Execution During Submodule Initialization
A high-severity vulnerability tracked as **CVE-2025-48384** affects Git’s handling of configuration values containing trailing carriage returns, creating a path for unintended script execution during submodule initialization. According to Armis, the flaw can be abused when an attacker can influence the relevant configuration context, potentially turning routine clone or submodule operations into code execution. Microsoft’s Security Update Guide also lists the issue, identifying it as a Git/GitHub vulnerability. Public exploit activity quickly followed disclosure, with multiple GitHub repositories publishing proof-of-concept material for **CVE-2025-48384**, including variants described as working over HTTPS and others explicitly labeling the issue as carriage-return-driven remote code execution on cloning. The appearance of several PoC repositories indicates that exploit details are broadly accessible, increasing the likelihood of weaponization against developers and build environments that process untrusted repositories or submodules.
May 25, 2026
Warp Fixes Command Injection Flaws in SSH Sessions and Git Branch Selection
Warp disclosed and patched multiple command injection vulnerabilities that could let attacker-controlled input reach shell commands in the terminal and development environment. One flaw, tracked as **CVE-2026-48732** / `GHSA-qqpc-wvvw-4269`, affected legacy SSH background command handling from version `v0.2023.03.21.08.02.stable_00` onward. Malicious remote host, repository, or directory names could inject shell syntax into helper commands used for SSH-backed metadata collection, allowing command execution on the remote host with the victim’s authenticated SSH account after user interaction in an affected legacy SSH session. Warp said the issue was fixed by escaping embedded single quotes in the remote working directory and released patched versions including `v0.2026.05.06.15.42.stable_01` and `v0.2026.05.13.09.15.stable_01`. A separate high-severity flaw, **CVE-2026-48719**, affected Warp versions from `0.2025.08.06.08.12.stable_00` through `0.2026.05.06.15.42.stable_01` and allowed a malicious Git branch name to be interpreted by the victim’s shell when selected from Warp’s prompt branch selector. Warp’s June code changes also show broader hardening of remote SSH session handling, including shell-specific escaping for single quotes before constructing commands such as `cd` and `cat`, plus tests covering Bash, Zsh, Fish, and PowerShell to keep crafted paths inert. The combined disclosures indicate that untrusted repository metadata and remote session context could be weaponized for command execution unless users upgrade to fixed releases.
Jun 24, 2026
GitPython Flaws Let Attackers Bypass Option Checks and Execute Commands
Two high-severity vulnerabilities in **GitPython** allowed attackers to bypass built-in safety checks and reach arbitrary command execution through Git operations. **CVE-2026-42215** affects versions `3.1.30` through `3.1.46` and stems from GitPython validating blocked Git options before normalizing Python keyword arguments: values such as `upload_pack` could pass validation, then be converted into forbidden flags like `--upload-pack` when passed to `Repo.clone_from()`, `Remote.fetch()`, `Remote.pull()`, or `Remote.push()`. The flaw could let attacker-controlled input trigger command execution with the privileges of the Python process even when `allow_unsafe_options=False`. A second flaw, **CVE-2026-42284**, affects GitPython before version `3.1.47` and involves unsafe handling of the `multi_options` parameter in `_clone()`. The library checked `multi_options` before later reprocessing it with `shlex.split(" ".join(multi_options))`, enabling crafted input to smuggle additional Git command-line arguments past validation. A string that appeared to be a valid branch selection could be split into separate options, including malicious configuration such as `core.hooksPath`, causing Git to execute attacker-controlled hooks during clone. Both issues were fixed in **GitPython `3.1.47`**.
May 7, 2026