CVE-2025-54584

GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). In versions 1.19.1 and below, an attacker can craft a malicious Git packfile to exploit the PACK signature detection in the parsePush.ts file. By embedding a misleading PACK signature within commit content and carefully constructing the packet structure, the attacker can trick the parser into treating invalid or unintended data as the packfile. Potentially, this would allow bypassing approval or hiding commits. This issue is fixed in version 1.19.2.

CVSS v3 5.7 MEDIUM

5.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.1 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/finos/git-proxy/commit/333c98a165a5a1ec88414db3d4a2c6f81e083e0f	Patch
https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a	Patch
https://github.com/finos/git-proxy/releases/tag/v1.19.2	Patch Release Notes
https://github.com/finos/git-proxy/security/advisories/GHSA-xxmh-rf63-qwjv	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:finos:gitproxy:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-07-30 20:15

Updated : 2025-08-01 20:04

NVD link : CVE-2025-54584

Mitre link : CVE-2025-54584

CVE.ORG link : CVE-2025-54584

JSON object : View

Products Affected

finos

gitproxy

CWE

CWE-115

Misinterpretation of Input

{"id": "CVE-2025-54584", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.1}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-30T20:15:38.357", "references": [{"url": "https://github.com/finos/git-proxy/commit/333c98a165a5a1ec88414db3d4a2c6f81e083e0f", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/finos/git-proxy/releases/tag/v1.19.2", "tags": ["Patch", "Release Notes"], "source": "[email protected]"}, {"url": "https://github.com/finos/git-proxy/security/advisories/GHSA-xxmh-rf63-qwjv", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-115"}]}], "descriptions": [{"lang": "en", "value": "GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). In versions 1.19.1 and below, an attacker can craft a malicious Git packfile to exploit the PACK signature detection in the parsePush.ts file. By embedding a misleading PACK signature within commit content and carefully constructing the packet structure, the attacker can trick the parser into treating invalid or unintended data as the packfile. Potentially, this would allow bypassing approval or hiding commits. This issue is fixed in version 1.19.2."}, {"lang": "es", "value": "GitProxy es una aplicaci\u00f3n que se interpone entre los desarrolladores y un endpoint remoto de Git (p. ej., github.com). En las versiones 1.19.1 y anteriores, un atacante puede manipular un archivo de paquete de Git malicioso para explotar la detecci\u00f3n de la firma PACK en el archivo parsePush.ts. Al incrustar una firma PACK enga\u00f1osa en el contenido del commit y construir cuidadosamente la estructura del paquete, el atacante puede enga\u00f1ar al analizador para que trate datos no v\u00e1lidos o no deseados como el archivo de paquete. Esto podr\u00eda permitir eludir la aprobaci\u00f3n u ocultar commits. Este problema se solucion\u00f3 en la versi\u00f3n 1.19.2."}], "lastModified": "2025-08-01T20:04:28.420", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:finos:gitproxy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5066AC65-E6FA-4582-AE66-0CBBED07F809", "versionEndExcluding": "1.19.2"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}