CVE-2026-42563 - Dulwich merge driver path command injection
Dulwich uses ProcessMergeDriver to run configured merge-driver commands during
Git-style merges. In affected versions, the %P placeholder substitutes the
path from the Git tree directly into a shell command and executes it with
subprocess.run(..., shell=True). If a developer or automation merges an
untrusted branch and a configured merge driver uses %P, a malicious file path
can break shell quoting and execute arbitrary commands on the merge host.
When to use it
Use this recipe when a Python repository, CI job, code-review bot, or agent workspace uses Dulwich to merge untrusted branches while merge drivers are configured. It is designed for source-code remediation, merge-host command boundary review, path interpolation hardening, and evidence that untrusted file paths cannot reach shell-backed merge-driver commands.
Inputs
- Dulwich version, package lockfiles, merge-driver configuration, merge automation scripts, CI/agent workspace settings, and branch trust model.
- Source paths that call Dulwich merge APIs, configure
ProcessMergeDriver, interpolate%P, or run subprocess commands during merges. - Regression fixtures for shell metacharacters in paths, benign paths, untrusted branch merges, disabled shell execution, and safe argv-based merges.
- Boundary evidence: who can open branches/PRs, merge host privileges, secrets available during merge, and rollout owner.
Affected versions
- Vulnerable package:
dulwich >=0.24.0,<1.2.5 - Fixed package:
dulwich 1.2.5+ - Exploitation precondition: a configured merge driver that uses
%P - Attack surface: automated merge bots, CI jobs, developer tooling, or services that merge untrusted branches, pull requests, or repositories
Indicator-of-exposure
- The repository depends on
dulwich >=0.24.0,<1.2.5. - Code or automation uses Dulwich merge flows, merge assistants, review bots, importers, or Git reconciliation services.
- Merge-driver configuration includes
%P, shell snippets,sh -c,bash -c,cmd /c, or other shell-evaluated command templates. - The system merges attacker-influenced branches, forks, mirrors, or imported repositories.
Quick checks:
rg -n "dulwich|merge_blobs|ProcessMergeDriver|merge driver|%P|shell=True|subprocess.run|gitattributes|\.gitattributes|git config.*merge" .
python -m pip show dulwich
rg -n "%P|driver *=|merge\\." .git .github ci scripts src app tools 2>/dev/null
Windows:
rg -n "dulwich|merge_blobs|ProcessMergeDriver|merge driver|%P|shell=True|subprocess.run|gitattributes|\.gitattributes|git config.*merge" .
python -m pip show dulwich
rg -n "%P|driver *=|merge\\." .git .github ci scripts src app tools
Do not merge attacker-controlled branches to prove exploitability, do not run shell-based merge drivers against untrusted repositories, and do not print secrets from CI or developer environments while inspecting merge configuration.
Remediation strategy
- Upgrade every controlled
dulwichdependency, lockfile, virtualenv image, SBOM, and generated dependency report to1.2.5+. - Remove shell-based merge-driver templates that interpolate attacker-controlled paths. Prefer argument-vector execution, trusted wrapper scripts, or merge drivers that do not accept raw path fragments from repository content.
- Disable or refuse custom merge drivers for untrusted repositories, forks, and imported branches where feasible.
- Constrain merge automation so untrusted branches are merged in isolated, ephemeral workers with minimal credentials.
- Review CI logs, merge-bot credentials, and recent untrusted merges if
%Pbased merge drivers were in use before patching.
The prompt
You are remediating CVE-2026-42563 / GHSA-9277-mp7x-85jf, a high-severity
Dulwich command injection where merge-driver `%P` path substitution reaches
`subprocess.run(..., shell=True)`. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades Dulwich, removes unsafe
shell-based merge-driver path handling, and documents operator cleanup, or
- TRIAGE.md if this repository does not control an affected Dulwich dependency,
merge flow, merge driver, image, or deployment.
## Rules
- Scope only CVE-2026-42563, Dulwich merge execution, and directly related
merge-driver boundaries.
- Treat repository contents from forks, branches, imported mirrors, CI logs,
credentials, and developer environment state as sensitive.
- Do not create malicious branches, execute shell-injection payloads, or run
live exploit proofs against merge infrastructure.
- Do not remove merge authorization, audit logging, branch protections, or
provenance checks as a shortcut.
- Do not auto-merge.
## Steps
1. Inventory every controlled Dulwich reference: dependency manifests,
lockfiles, vendored code, Dockerfiles, CI images, merge bots, review tools,
import pipelines, and SBOMs.
2. Determine every resolved `dulwich` version. Targets are vulnerable if they
resolve to `>=0.24.0,<1.2.5`.
3. Find every merge path using Dulwich: merge helpers, bot workflows,
reconciliation jobs, repo importers, and custom Git service code.
4. Inspect merge-driver configuration from code, checked-in attributes,
generated configs, and deployment defaults. Flag any command template using
`%P`, shell fragments, `shell=True`, `sh -c`, `bash -c`, or `cmd /c`.
5. If this repository does not control an affected Dulwich dependency or merge
runtime, stop with `TRIAGE.md` listing checked files, external owner if
known, and required fixed version `1.2.5+`.
6. Upgrade all controlled `dulwich` references to `1.2.5+`. Refresh lockfiles,
container layers, SBOMs, generated reports, and docs.
7. Remove unsafe merge-driver path interpolation:
- prefer argument-vector invocation over shell strings;
- avoid passing attacker-controlled file paths through the shell;
- replace `%P`-dependent shell templates with safe wrappers or disable them
for untrusted repos.
8. Fail closed for untrusted repositories:
- disable custom merge drivers where not essential;
- isolate merge jobs in ephemeral workers with least-privilege credentials;
- reject merges that require unsafe driver execution until reviewed.
9. Add regression tests or fixtures that prove:
- vulnerable Dulwich versions are absent;
- merge-driver code paths no longer shell-interpolate repository file paths;
- untrusted repositories cannot trigger unsafe custom merge execution;
- normal trusted merge behavior still works.
10. Add a PR body section named `CVE-2026-42563 operator actions` that states:
- Dulwich versions before and after;
- which merge flows and drivers were patched or triaged;
- whether any `%P`-based merge drivers remain;
- whether CI or bot credentials need review;
- which validation commands passed.
11. Run available validation: dependency install, unit tests, merge workflow
tests, static analysis, container build, SBOM refresh, and non-secret smoke
checks.
12. Use PR title:
`fix(sec): remediate CVE-2026-42563 in dulwich merge drivers`.
## Stop conditions
- No affected Dulwich dependency, merge flow, driver, image, or deployment is
controlled by this repository.
- Fixing requires changes in an external merge platform you do not own.
- Safe remediation would require running exploit payloads against shared
infrastructure.
- Validation fails for unrelated pre-existing reasons; document them instead of
broadening scope.
Output contract
- A reviewer-ready PR or change request that upgrades Dulwich, removes shell-based path interpolation from merge drivers, gates untrusted merges, adds regression tests, and documents CI/agent rollout.
- Or a
TRIAGE.mdfile that lists inspected files, owner, observed version, merge-driver exposure, merge host boundary, required fix, and residual risk. - The output must include exact validation commands and must not execute shell payloads, merge untrusted production branches, or expose CI secrets.
Verification - what the reviewer looks for
- No controlled dependency graph resolves
dulwich >=0.24.0,<1.2.5. - Merge-driver execution no longer shell-interpolates repository-controlled paths.
- Untrusted branch or fork merges are blocked, isolated, or safely handled.
- Tests cover the unsafe
%Ppath pattern without executing injected commands.
Watch for
- Upgrading manifests while lockfiles, images, or SBOMs still resolve the vulnerable version.
- Keeping custom merge drivers that still rely on shell parsing of raw paths.
- Treating trusted internal repos and attacker-controlled forks as equivalent.
- Logging merge commands with sensitive environment variables or tokens.
Related recipes
- Source code supply chain build integrity audit
- Source code injection sink audit
- Source code attack surface map
- SAST finding triage and fix
References
- GitHub Advisory: https://github.com/advisories/GHSA-9277-mp7x-85jf
- Maintainer advisory: https://github.com/jelmer/dulwich/security/advisories/GHSA-9277-mp7x-85jf
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42563