CVE-2026-42563: Dulwich Vulnerable to Command Injection via Merge Driver Path

May 28, 2026 (updated June 11, 2026)

Dulwich’s ProcessMergeDriver substitutes the file path (from the git tree, controllable by an attacker via a malicious branch) into the merge driver command via the %P placeholder and executes it with subprocess.run(..., shell=True). An attacker who can cause a victim to merge an untrusted branch can achieve arbitrary command execution by crafting malicious file paths.

References

github.com/advisories/GHSA-9277-mp7x-85jf
github.com/jelmer/dulwich/commit/e3331b3b3a122fc313460182f928f59723580b7b
github.com/jelmer/dulwich/releases/tag/dulwich-1.2.5
github.com/jelmer/dulwich/security/advisories/GHSA-9277-mp7x-85jf
nvd.nist.gov/vuln/detail/CVE-2026-42563

Code Behaviors & Features

Detect and mitigate CVE-2026-42563 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →