CVE-2026-52726— Dulwich 路径遍历漏洞

Dulwich's submodule path traversal in porcelain.submodule_update / porcelain.clone(recurse_submodules=True) yields RCE via attacker-dropped .git/hooks payload

Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.23.2 and prior to version 1.2.5, `dulwich.porcelain.submodule_update`, and by extension `porcelain.clone(..., recurse_submodules=True)`, materializes attacker-controlled submodule paths from a crafted upstream repository without path validation. A malicious `.gitmodules` plus a matching tree gitlink whose `path` is `.git/hooks` (or any other directory inside the parent repository's `.git` directory) causes the attacker's submodule tree contents to be written directly into the victim's `.git/hooks/` directory, preserving executable mode bits. The dropped executables are then run by any subsequent `git` or `dulwich` command that invokes the matching hook, resulting in arbitrary code execution. This is the dulwich equivalent of the upstream Git fixes for CVE-2024-32002 / CVE-2024-32004, which were never propagated into dulwich's separately implemented submodule porcelain. Version 1.2.5 patches the issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

对路径名的限制不恰当(路径遍历)

Dulwich 路径遍历漏洞

Dulwich是Jelmer Vernooij个人开发者的一款纯Python实现的Git仓库操作接口。 Dulwich 0.23.2版本至1.2.5之前版本存在路径遍历漏洞，该漏洞源于porcelain.submodule_update方法未验证子模块路径，导致恶意.gitmodules可将子模块内容写入.git/hooks目录，从而执行任意代码。

N/A

N/A