CVE-2026-42563 - Dulwich merge driver path command injection

Dulwich uses ProcessMergeDriver to run configured merge-driver commands during Git-style merges. In affected versions, the %P placeholder substitutes the path from the Git tree directly into a shell command and executes it with subprocess.run(..., shell=True). If a developer or automation merges an untrusted branch and a configured merge driver uses %P, a malicious file path can break shell quoting and execute arbitrary commands on the merge host.

When to use it

Use this recipe when a Python repository, CI job, code-review bot, or agent workspace uses Dulwich to merge untrusted branches while merge drivers are configured. It is designed for source-code remediation, merge-host command boundary review, path interpolation hardening, and evidence that untrusted file paths cannot reach shell-backed merge-driver commands.

Inputs

  • Dulwich version, package lockfiles, merge-driver configuration, merge automation scripts, CI/agent workspace settings, and branch trust model.
  • Source paths that call Dulwich merge APIs, configure ProcessMergeDriver, interpolate %P, or run subprocess commands during merges.
  • Regression fixtures for shell metacharacters in paths, benign paths, untrusted branch merges, disabled shell execution, and safe argv-based merges.
  • Boundary evidence: who can open branches/PRs, merge host privileges, secrets available during merge, and rollout owner.

Affected versions

  • Vulnerable package: dulwich >=0.24.0,<1.2.5
  • Fixed package: dulwich 1.2.5+
  • Exploitation precondition: a configured merge driver that uses %P
  • Attack surface: automated merge bots, CI jobs, developer tooling, or services that merge untrusted branches, pull requests, or repositories

Indicator-of-exposure

  • The repository depends on dulwich >=0.24.0,<1.2.5.
  • Code or automation uses Dulwich merge flows, merge assistants, review bots, importers, or Git reconciliation services.
  • Merge-driver configuration includes %P, shell snippets, sh -c, bash -c, cmd /c, or other shell-evaluated command templates.
  • The system merges attacker-influenced branches, forks, mirrors, or imported repositories.

Quick checks:

rg -n "dulwich|merge_blobs|ProcessMergeDriver|merge driver|%P|shell=True|subprocess.run|gitattributes|\.gitattributes|git config.*merge" .
python -m pip show dulwich
rg -n "%P|driver *=|merge\\." .git .github ci scripts src app tools 2>/dev/null

Windows:

rg -n "dulwich|merge_blobs|ProcessMergeDriver|merge driver|%P|shell=True|subprocess.run|gitattributes|\.gitattributes|git config.*merge" .
python -m pip show dulwich
rg -n "%P|driver *=|merge\\." .git .github ci scripts src app tools

Do not merge attacker-controlled branches to prove exploitability, do not run shell-based merge drivers against untrusted repositories, and do not print secrets from CI or developer environments while inspecting merge configuration.

Remediation strategy

  • Upgrade every controlled dulwich dependency, lockfile, virtualenv image, SBOM, and generated dependency report to 1.2.5+.
  • Remove shell-based merge-driver templates that interpolate attacker-controlled paths. Prefer argument-vector execution, trusted wrapper scripts, or merge drivers that do not accept raw path fragments from repository content.
  • Disable or refuse custom merge drivers for untrusted repositories, forks, and imported branches where feasible.
  • Constrain merge automation so untrusted branches are merged in isolated, ephemeral workers with minimal credentials.
  • Review CI logs, merge-bot credentials, and recent untrusted merges if %P based merge drivers were in use before patching.

The prompt

You are remediating CVE-2026-42563 / GHSA-9277-mp7x-85jf, a high-severity
Dulwich command injection where merge-driver `%P` path substitution reaches
`subprocess.run(..., shell=True)`. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Dulwich, removes unsafe
  shell-based merge-driver path handling, and documents operator cleanup, or
- TRIAGE.md if this repository does not control an affected Dulwich dependency,
  merge flow, merge driver, image, or deployment.

## Rules

- Scope only CVE-2026-42563, Dulwich merge execution, and directly related
  merge-driver boundaries.
- Treat repository contents from forks, branches, imported mirrors, CI logs,
  credentials, and developer environment state as sensitive.
- Do not create malicious branches, execute shell-injection payloads, or run
  live exploit proofs against merge infrastructure.
- Do not remove merge authorization, audit logging, branch protections, or
  provenance checks as a shortcut.
- Do not auto-merge.

## Steps

1. Inventory every controlled Dulwich reference: dependency manifests,
   lockfiles, vendored code, Dockerfiles, CI images, merge bots, review tools,
   import pipelines, and SBOMs.
2. Determine every resolved `dulwich` version. Targets are vulnerable if they
   resolve to `>=0.24.0,<1.2.5`.
3. Find every merge path using Dulwich: merge helpers, bot workflows,
   reconciliation jobs, repo importers, and custom Git service code.
4. Inspect merge-driver configuration from code, checked-in attributes,
   generated configs, and deployment defaults. Flag any command template using
   `%P`, shell fragments, `shell=True`, `sh -c`, `bash -c`, or `cmd /c`.
5. If this repository does not control an affected Dulwich dependency or merge
   runtime, stop with `TRIAGE.md` listing checked files, external owner if
   known, and required fixed version `1.2.5+`.
6. Upgrade all controlled `dulwich` references to `1.2.5+`. Refresh lockfiles,
   container layers, SBOMs, generated reports, and docs.
7. Remove unsafe merge-driver path interpolation:
   - prefer argument-vector invocation over shell strings;
   - avoid passing attacker-controlled file paths through the shell;
   - replace `%P`-dependent shell templates with safe wrappers or disable them
     for untrusted repos.
8. Fail closed for untrusted repositories:
   - disable custom merge drivers where not essential;
   - isolate merge jobs in ephemeral workers with least-privilege credentials;
   - reject merges that require unsafe driver execution until reviewed.
9. Add regression tests or fixtures that prove:
   - vulnerable Dulwich versions are absent;
   - merge-driver code paths no longer shell-interpolate repository file paths;
   - untrusted repositories cannot trigger unsafe custom merge execution;
   - normal trusted merge behavior still works.
10. Add a PR body section named `CVE-2026-42563 operator actions` that states:
    - Dulwich versions before and after;
    - which merge flows and drivers were patched or triaged;
    - whether any `%P`-based merge drivers remain;
    - whether CI or bot credentials need review;
    - which validation commands passed.
11. Run available validation: dependency install, unit tests, merge workflow
    tests, static analysis, container build, SBOM refresh, and non-secret smoke
    checks.
12. Use PR title:
    `fix(sec): remediate CVE-2026-42563 in dulwich merge drivers`.

## Stop conditions

- No affected Dulwich dependency, merge flow, driver, image, or deployment is
  controlled by this repository.
- Fixing requires changes in an external merge platform you do not own.
- Safe remediation would require running exploit payloads against shared
  infrastructure.
- Validation fails for unrelated pre-existing reasons; document them instead of
  broadening scope.

Output contract

  • A reviewer-ready PR or change request that upgrades Dulwich, removes shell-based path interpolation from merge drivers, gates untrusted merges, adds regression tests, and documents CI/agent rollout.
  • Or a TRIAGE.md file that lists inspected files, owner, observed version, merge-driver exposure, merge host boundary, required fix, and residual risk.
  • The output must include exact validation commands and must not execute shell payloads, merge untrusted production branches, or expose CI secrets.

Verification - what the reviewer looks for

  • No controlled dependency graph resolves dulwich >=0.24.0,<1.2.5.
  • Merge-driver execution no longer shell-interpolates repository-controlled paths.
  • Untrusted branch or fork merges are blocked, isolated, or safely handled.
  • Tests cover the unsafe %P path pattern without executing injected commands.

Watch for

  • Upgrading manifests while lockfiles, images, or SBOMs still resolve the vulnerable version.
  • Keeping custom merge drivers that still rely on shell parsing of raw paths.
  • Treating trusted internal repos and attacker-controlled forks as equivalent.
  • Logging merge commands with sensitive environment variables or tokens.

References