CVE-2026-47734

Published: Giu 11, 2026 Last Modified: Giu 11, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 5,7

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: required

Scope: unchanged

Confidentiality: none

Integrity: none

Availability: high

Description

AI Translation Available

Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.1.0 and prior to version 1.2.5, a client with push access could push a tiny crafted thin pack (~174 bytes) whose delta header declares a huge dest_size. When dulwich ingested it via add_thin_pack / apply_delta, it would allocate hundreds of MB of memory based on that attacker-controlled size, with no relationship to the actual bytes received. Operators running a Dulwich-based Git server that exposes git-receive-pack (i.e. accepts pushes) - for example via dulwich.server functionality, the HTTP smart server, or anything built on ReceivePackHandler - are impacted. The issue is patched in 1.2.5. add_thin_pack now accepts a max_input_size keyword (bytes; 0/None = unlimited, matching git's semantics), and ReceivePackHandler reads receive.maxInputSize from the repository config and passes it through. Wire reads are counted and a PackInputTooLarge exception is raised once the cap is exceeded - equivalent to git index-pack --max-input-size. Users should upgrade to Dulwich 1.2.5 or later and set receive.maxInputSize in their server's repository config to a sane bound for their environment. On unpatched versions, receive.maxInputSize has no effect, so it cannot be used as a workaround. Until upgrading, operators should restrict dulwich-receive-pack (push) access to trusted, authenticated clients only, or disable it entirely on servers that only need to serve fetches and/or run the server under an OS-level memory limit (e.g. ulimit, cgroups/MemoryMax, or a container memory limit) so a malicious push is killed rather than taking down the host.

AI Generated Translation

Dulwich è un'implementazione in pure Python dei formati e dei protocolli Git. A partire dalla versione 0.1.0 e fino alla versione 1.2.5, un client con accesso push poteva inviare un tiny crafted thin pack (~174 byte) il cui delta header dichiara un enorme dest_size. Quando Dulwich lo elaborava tramite add_thin_pack / apply_delta, allocava centinaia di MB di memoria in base a quella dimensione controllata dall'attaccante, senza alcuna relazione con i byte effettivamente ricevuti. Gli operatori che gestiscono un server Git basato su Dulwich che espone git-receive-pack (cioè che accetta push) — ad esempio tramite le funzionalità di dulwich.server, il server smart HTTP, o qualsiasi sistema costruito su ReceivePackHandler — sono interessati. Il problema è stato risolto nella versione 1.2.5. add_thin_pack ora accetta il parametro keyword max_input_size (byte; 0/None = illimitato, in linea con la semantica di git), e ReceivePackHandler legge receive.maxInputSize dalla configurazione del repository e lo passa avanti. Le letture sulla rete vengono conteggiate e viene sollevata un’eccezione PackInputTooLarge una volta superato il limite — equivalente a git index-pack --max-input-size. Gli utenti dovrebbero aggiornare a Dulwich 1.2.5 o versioni successive e impostare receive.maxInputSize nella configurazione del repository del server a un limite ragionevole per il loro ambiente. Nelle versioni non patchate, receive.maxInputSize non ha effetto, quindi non può essere usato come workaround. Fino all’aggiornamento, gli operatori dovrebbero limitare l’accesso dulwich-receive-pack (push) solo a client affidabili e autenticati, oppure disabilitarlo completamente sui server che devono solo servire fetch e/o eseguire il server sotto un limite di memoria a livello OS (ad esempio ulimit, cgroups/MemoryMax, o un limite di memoria del container) in modo che un push malevolo venga terminato anziché compromettere l’host.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0003

Percentile

0,1th

Updated

EPSS Score Trend (Last 4 Days)

400

Uncontrolled Resource Consumption

Draft

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Availability Access Control Other

Potential Impacts:

Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other) Bypass Protection Mechanism Other

Applicable Platforms

Technologies: Not Technology-Specific, AI/ML

Likelihood of Exploit: High

View CWE Details

789

Memory Allocation with Excessive Size Value

Draft

Abstraction: Variant Structure: Simple

Common Consequences

Security Scopes Affected:

Availability

Potential Impacts:

Dos: Resource Consumption (Memory)

Applicable Platforms

Languages: C, C++, Not Language-Specific

View CWE Details

https://github.com/jelmer/dulwich/releases/tag/dulwich-1.2.5

https://github.com/jelmer/dulwich/security/advisories/GHSA-…

https://github.com/jelmer/dulwich/security/advisories/GHSA-xrvj-v92f-53gj

CVE-2026-47734

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 4 Days)

Uncontrolled Resource Consumption

Common Consequences

Applicable Platforms

Memory Allocation with Excessive Size Value

Common Consequences

Applicable Platforms

Iscriviti alla newsletter