CVE-2026-42563: Dulwich Vulnerable to Command Injection via Merge Driver Path

May 28, 2026

Dulwich’s ProcessMergeDriver substitutes the file path (from the git tree, controllable by an attacker via a malicious branch) into the merge driver command via the %P placeholder and executes it with subprocess.run(..., shell=True). An attacker who can cause a victim to merge an untrusted branch can achieve arbitrary command execution by crafting malicious file paths.

References

github.com/advisories/GHSA-9277-mp7x-85jf
github.com/jelmer/dulwich/releases/tag/dulwich-1.2.5
github.com/jelmer/dulwich/security/advisories/GHSA-9277-mp7x-85jf
nvd.nist.gov/vuln/detail/CVE-2026-42563

Code Behaviors & Features

Detect and mitigate CVE-2026-42563 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →