CVE-2025-54585

GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can exploit the way GitProxy handles new branch creation to bypass the approval of prior commits on the parent branch. The vulnerability impacts all users or organizations relying on GitProxy to enforce policy and prevent unapproved changes. It requires no elevated privileges beyond regular push access, and no extra user interaction. It does however, require a GitProxy administrator or designated user (canUserApproveRejectPush) to approve pushes to the child branch. This is fixed in version 1.19.2.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a	Patch
https://github.com/finos/git-proxy/commit/f99fe42082eab0970e4cd0acdc3421a527a7e531	Patch
https://github.com/finos/git-proxy/releases/tag/v1.19.2	Patch Release Notes
https://github.com/finos/git-proxy/security/advisories/GHSA-39p2-8hq9-fwj6	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:finos:gitproxy:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-07-30 21:15

Updated : 2025-08-01 20:04

NVD link : CVE-2025-54585

Mitre link : CVE-2025-54585

CVE.ORG link : CVE-2025-54585

JSON object : View

Products Affected

finos

gitproxy

CWE

CWE-285

Improper Authorization

{"id": "CVE-2025-54585", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-30T21:15:26.310", "references": [{"url": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/finos/git-proxy/commit/f99fe42082eab0970e4cd0acdc3421a527a7e531", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/finos/git-proxy/releases/tag/v1.19.2", "tags": ["Patch", "Release Notes"], "source": "[email protected]"}, {"url": "https://github.com/finos/git-proxy/security/advisories/GHSA-39p2-8hq9-fwj6", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-285"}]}], "descriptions": [{"lang": "en", "value": "GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can exploit the way GitProxy handles new branch creation to bypass the approval of prior commits on the parent branch. The vulnerability impacts all users or organizations relying on GitProxy to enforce policy and prevent unapproved changes. It requires no elevated privileges beyond regular push access, and no extra user interaction. It does however, require a GitProxy administrator or designated user (canUserApproveRejectPush) to approve pushes to the child branch. This is fixed in version 1.19.2."}, {"lang": "es", "value": "GitProxy es una aplicaci\u00f3n que se interpone entre los desarrolladores y un endpoint remoto de Git. En las versiones 1.19.1 y anteriores, los atacantes pueden explotar la forma en que GitProxy gestiona la creaci\u00f3n de nuevas ramas para omitir la aprobaci\u00f3n de commits previas en la rama principal. Esta vulnerabilidad afecta a todos los usuarios u organizaciones que dependen de GitProxy para aplicar pol\u00edticas y evitar cambios no aprobados. No requiere privilegios elevados m\u00e1s all\u00e1 del acceso normal a las notificaciones push, ni interacci\u00f3n adicional del usuario. Sin embargo, requiere que un administrador de GitProxy o un usuario designado (canUserApproveRejectPush) apruebe las notificaciones push a la rama secundaria. Esto se corrigi\u00f3 en la versi\u00f3n 1.19.2."}], "lastModified": "2025-08-01T20:04:19.977", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:finos:gitproxy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5066AC65-E6FA-4582-AE66-0CBBED07F809", "versionEndExcluding": "1.19.2"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}