CVE Catalog

CVE-2026-47734

MediumCVSS 5.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

10th percentile — higher than 10% of all known CVEs

Summary

Dulwich, a pure-Python implementation of Git file formats and protocols, has a vulnerability that allows a client with push access to send a small crafted pack, leading to the allocation of a huge amount of memory. The issue affects versions from 0.1.0 to 1.2.5 and is patched in version 1.2.5.

Risk Assessment

Organizations using a Dulwich-based Git server that accepts pushes may be vulnerable to attacks that lead to server memory exhaustion, potentially causing it to crash.

Recommendation

It is recommended to upgrade to Dulwich 1.2.5 or later and set receive.maxInputSize in the repository configuration. Until upgrading, access to dulwich-receive-pack should be restricted to trusted clients or completely disabled on servers that do not require push handling.

Original NVD description (English source)

Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.1.0 and prior to version 1.2.5, a client with push access could push a tiny crafted thin pack (~174 bytes) whose delta header declares a huge dest_size. When dulwich ingested it via add_thin_pack / apply_delta, it would allocate hundreds of MB of memory based on that attacker-controlled size, with no relationship to the actual bytes received. Operators running a Dulwich-based Git server that exposes git-receive-pack (i.e. accepts pushes) - for example via dulwich.server functionality, the HTTP smart server, or anything built on ReceivePackHandler - are impacted. The issue is patched in 1.2.5. add_thin_pack now accepts a max_input_size keyword (bytes; 0/None = unlimited, matching git's semantics), and ReceivePackHandler reads receive.maxInputSize from the repository config and passes it through. Wire reads are counted and a PackInputTooLarge exception is raised once the cap is exceeded - equivalent to git index-pack --max-input-size. Users should upgrade to Dulwich 1.2.5 or later and set receive.maxInputSize in their server's repository config to a sane bound for their environment. On unpatched versions, receive.maxInputSize has no effect, so it cannot be used as a workaround. Until upgrading, operators should restrict dulwich-receive-pack (push) access to trusted, authenticated clients only, or disable it entirely on servers that only need to serve fetches and/or run the server under an OS-level memory limit (e.g. ulimit, cgroups/MemoryMax, or a container memory limit) so a malicious push is killed rather than taking down the host.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS