CVE-2025-54583

GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). Versions 1.19.1 and below allow users to push to remote repositories while bypassing policies and explicit approvals. Since checks and plugins are skipped, code containing secrets or unwanted changes could be pushed into a repository. This is fixed in version 1.19.2.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a	Patch
https://github.com/finos/git-proxy/commit/bd2ecb2099cba21bca3941ee4d655d2eb887b3a9	Patch
https://github.com/finos/git-proxy/releases/tag/v1.19.2	Patch Release Notes
https://github.com/finos/git-proxy/security/advisories/GHSA-qr93-8wwf-22g4	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:finos:gitproxy:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-07-30 20:15

Updated : 2025-08-01 20:04

NVD link : CVE-2025-54583

Mitre link : CVE-2025-54583

CVE.ORG link : CVE-2025-54583

JSON object : View

Products Affected

finos

gitproxy

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2025-54583", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-30T20:15:38.177", "references": [{"url": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/finos/git-proxy/commit/bd2ecb2099cba21bca3941ee4d655d2eb887b3a9", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/finos/git-proxy/releases/tag/v1.19.2", "tags": ["Patch", "Release Notes"], "source": "[email protected]"}, {"url": "https://github.com/finos/git-proxy/security/advisories/GHSA-qr93-8wwf-22g4", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). Versions 1.19.1 and below allow users to push to remote repositories while bypassing policies and explicit approvals. Since checks and plugins are skipped, code containing secrets or unwanted changes could be pushed into a repository. This is fixed in version 1.19.2."}, {"lang": "es", "value": "GitProxy es una aplicaci\u00f3n que se interpone entre los desarrolladores y un endpoint remoto de Git (p. ej., github.com). Las versiones 1.19.1 y anteriores permiten a los usuarios enviar contenido a repositorios remotos, omitiendo pol\u00edticas y aprobaciones expl\u00edcitas. Dado que se omiten las comprobaciones y los complementos, el c\u00f3digo que contiene secretos o cambios no deseados podr\u00eda enviarse a un repositorio. Esto se solucion\u00f3 en la versi\u00f3n 1.19.2."}], "lastModified": "2025-08-01T20:04:33.990", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:finos:gitproxy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5066AC65-E6FA-4582-AE66-0CBBED07F809", "versionEndExcluding": "1.19.2"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}