All Topics
All Topics
Technology
Technology
AI
AI
Business
Business
Entertainment
Entertainment
News
News
Programming
Programming
Security
Security
Science
Science
Design
Design
Environment
Environment
Finance
Finance
Crypto
Crypto
Politics
Politics
Sports
Sports
Education
Education
Gaming
Gaming
Art
Art
Music
Music
Health
Health
Books
Books
Food
Food
Travel
Travel
Personal
Personal
Bluesky
Twitter

Critical Arbitrary File Write Vulnerability in Dulwich Git Library (CVE-2026-42305) Allows RCE on Windows

13d ago· 4 min readenNews
technologysecurityprogrammingopen source

Summary

A security vulnerability (CVE-2026-42305) has been discovered in Dulwich, a pure-Python Git implementation. Versions 0.10.0 through 1.2.4 are affected by an arbitrary file write flaw that can lead to remote code execution when cloning or checking out malicious Git repositories on Windows. The issue stems from Dulwich's path-element validator accepting filenames with bytes that Windows interprets as structural path syntax, along with configuration bugs that silently ignored the core.protectNTFS and core.protectHFS settings. The vulnerability is fixed in version 1.2.5, which enables NTFS protection by default on all platforms. No effective workaround exists for affected versions.

Source

bskyCritical Arbitrary File Write Vulnerability in Dulwich Git Library (CVE-2026-42305) Allows RCE on Windowsnvd.nist.gov

Key quotes

· 5 pulled
Dulwich's path-element validator accepted tree entries whose filenames contained bytes that Windows interprets as structural path syntax.
Anyone who clones, fetches, or checks out an untrusted repository with Dulwich on Windows - either through the Dulwich CLI, porcelain.clone, or any downstream tool built on Dulwich - is impacted.
On affected versions the core.protectNTFS configuration key was silently ignored, so setting it to true does not mitigate the issue.
Users who cannot upgrade should avoid cloning, fetching, or checking out untrusted repositories with Dulwich on Windows.
After upgrading the NTFS validator is on by default on every platform, so no additional configuration is required.
Snippet from the RSS feed
Dulwich is a pure-Python implementation of the Git file formats and protocols. Versions starting with 0.10.0 and prior to 1.2.5 have an arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Window

You might also wanna read

Critical RCE vulnerability CVE-2026-3854 discovered in GitHub's internal git infrastructure

Wiz Research discovered a critical vulnerability (CVE-2026-3854) in GitHub's internal git infrastructure affecting both GitHub.com and GitHu

Wiz.io·1mo ago

Researcher Discovers Critical React2Shell RCE Vulnerability (CVE-2025-55182) Affecting Millions of Websites

A security researcher recounts discovering a critical remote code execution vulnerability (CVE-2025-55182, dubbed "React2Shell") in the Reac

lachlan.nz·1mo ago

Critical React Vulnerability (CVE-2025-55182) Enables Remote Code Execution in React 19 and Next.js

A critical security vulnerability (CVE-2025-55182) has been discovered in React Server Components' 'Flight' protocol, affecting React 19 and

wiz.io·6mo ago

CVE-2026-48800 Bypass: Path Traversal Vulnerability Discovered in Notepad++ v8.9.6.1

A security vulnerability (CVE-2026-48800 bypass) has been discovered in Notepad++ v8.9.6.1, the latest patched version. The vulnerability in

github.com·13d ago

Critical Redis Vulnerability (CVE-2025-49844) Allows Remote Code Execution with Maximum CVSS Score

Wiz Research has discovered a critical remote code execution vulnerability (CVE-2025-49844, nicknamed #RediShell) in Redis, the widely used

wiz.io·8mo ago

Critical Redis Security Vulnerability CVE-2025-49844 Allows Remote Code Execution

Redis has identified and fixed a critical security vulnerability (CVE-2025-49844) that allows authenticated users to execute remote code thr

redis.io·8mo ago

Comments

Sign in to join the conversation.

No comments yet. Be the first.