CVE-2026-42305
Deferred Deferred - Pending Action
Arbitrary File Write in Dulwich Leading to Remote Code Execution on Windows

Publication date: 2026-06-10

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description
Dulwich is a pure-Python implementation of the Git file formats and protocols. Versions starting with 0.10.0 and prior to 1.2.5 have an arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows. Dulwich's path-element validator accepted tree entries whose filenames contained bytes that Windows interprets as structural path syntax. Contributing configuration bugs made matters worse. The core.protectNTFS and core.protectHFS settings were looked up under a wrong option name and so user-set values were silently ignored, and core.protectNTFS only defaulted to true on Windows (Git upstream has defaulted it to true everywhere since CVE-2019-1353). Both have been corrected. Anyone who clones, fetches, or checks out an untrusted repository with Dulwich on Windows - either through the Dulwich CLI, porcelain.clone, or any downstream tool built on Dulwich - is impacted. POSIX clones are not directly exploitable (on POSIX \ is a literal filename byte), but a POSIX user can unknowingly propagate a malicious tree to Windows consumers via push or re-publication. This issue is fixed in Dulwich 1.2.5. Users should upgrade to 1.2.5 or later. There is no effective pre-patch workaround. On affected versions the core.protectNTFS configuration key was silently ignored, so setting it to true does not mitigate the issue. Users who cannot upgrade should avoid cloning, fetching, or checking out untrusted repositories with Dulwich on Windows. After upgrading the NTFS validator is on by default on every platform, so no additional configuration is required.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-42305
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
python dulwich From 0.10.0 (inc) to 1.2.5 (exc)
python dulwich 1.2.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Dulwich, a pure-Python implementation of Git file formats and protocols. Versions from 0.10.0 up to but not including 1.2.5 allow an attacker to perform an arbitrary file write leading to remote code execution when a user clones or checks out a malicious Git repository on Windows.

The root cause is that Dulwich's path-element validator accepted tree entries with filenames containing bytes that Windows interprets as structural path syntax, allowing malicious path traversal or file overwrite.

Additionally, configuration settings intended to protect against this (core.protectNTFS and core.protectHFS) were looked up under incorrect option names and thus silently ignored, making the protection ineffective.

This issue affects anyone cloning, fetching, or checking out untrusted repositories with Dulwich on Windows, including through the Dulwich CLI, porcelain.clone, or downstream tools built on Dulwich. POSIX systems are not directly exploitable but can propagate malicious trees to Windows users.

The vulnerability is fixed in Dulwich version 1.2.5 and later.

Compliance Impact

The vulnerability in Dulwich allows arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows. This could potentially lead to unauthorized access or modification of sensitive data.

Such unauthorized access or data modification could impact compliance with data protection standards and regulations like GDPR or HIPAA, which require safeguarding data integrity and preventing unauthorized access.

However, the provided information does not explicitly discuss the direct impact on compliance with these standards or any specific regulatory implications.

Impact Analysis

This vulnerability can lead to remote code execution on Windows systems when cloning or checking out a malicious Git repository using affected Dulwich versions.

An attacker can write arbitrary files to the victim's system, potentially overwriting important files or placing malicious executables, which can compromise system integrity and security.

Users who clone, fetch, or check out untrusted repositories on Windows with Dulwich versions prior to 1.2.5 are at risk.

There is no effective workaround other than upgrading to version 1.2.5 or later or avoiding untrusted repositories on Windows.

Mitigation Strategies

The vulnerability can be mitigated by upgrading Dulwich to version 1.2.5 or later.

There is no effective pre-patch workaround. Setting the core.protectNTFS configuration key to true on affected versions does not mitigate the issue because it was silently ignored.

If upgrading is not possible, avoid cloning, fetching, or checking out untrusted repositories with Dulwich on Windows.

After upgrading, the NTFS validator is enabled by default on every platform, so no additional configuration is required.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42305. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart