Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.23.2 and prior to version 1.2.5, "dulwich.porcelain.submodule_update", and by extension "porcelain.clone(..., recurse_submodules=True)", materializes attacker-controlled submodule paths from a crafted upstream repository without path validation. A malicious ".gitmodules" plus a matching tree gitlink whose "path" is ".git/hooks" (or any other directory inside the parent repository's ".git" directory) causes the attacker's submodule tree contents to be written directly into the victim's ".git/hooks/" directory, preserving executable mode bits. The dropped executables are then run by any subsequent "git" or "dulwich" command that invokes the matching hook, resulting in arbitrary code execution. This is the dulwich equivalent of the upstream Git fixes for CVE-2024-32002 / CVE-2024-32004, which were never propagated into dulwich's separately implemented submodule porcelain. Version 1.2.5 patches the issue.