dulwich: Memory exhaustion via crafted thin pack (CVE-2024-? )
A memory exhaustion vulnerability (CWE-400/CWE-789) in add_thin_pack / apply_delta allows a push client to cause denial of service by sending a crafted thin pack with a huge dest_size, leading to excessive memory allocation.
What changed
A memory exhaustion vulnerability (CWE-400/CWE-789) in add_thin_pack / apply_delta allows a push client to cause denial of service by sending a crafted thin pack with a huge dest_size, leading to excessive memory allocation. Patched in version 1.2.5 by adding max_input_size parameter and PackInputTooLarge exception.
Who it affects
Operators running a Dulwich-based Git server that exposes git-receive-pack (accepts pushes), e.g., via dulwich.server, HTTP smart server, or ReceivePackHandler.
What to do today
Upgrade to Dulwich 1.2.5 or later and set receive.maxInputSize in repository config to a sane bound.