CVE-2026-47734

Name of the Vulnerable Software and Affected Versions Dulwich versions prior to 1.2.5

Description An uncontrolled resource consumption issue leads to memory exhaustion and denial-of-service. A client with push access can send a small crafted thin pack where the delta header specifies an excessively large dest size. When the software processes this via the add thin pack or apply delta functions, it allocates hundreds of megabytes of memory based on the attacker-controlled size, regardless of the actual bytes received. This affects operators running a Dulwich-based Git server that accepts pushes, such as those using dulwich.server functionality, the HTTP smart server, or components built on ReceivePackHandler.

Recommendations Update to version 1.2.5 or later and configure receive.maxInputSize in the server repository configuration to a reasonable limit. Restrict push access to trusted, authenticated clients only or disable it on servers that only require fetch capabilities. Implement OS-level memory limits using tools such as ulimit, cgroups/MemoryMax, or container memory limits to prevent a malicious push from crashing the host.